[2024-02-25T00:02:45,984][WARN ][logstash.outputs.

elasticsearch][zscaler]
[c737978fd5a2978fe26502c76557710a8c3a66b77a5a753c6242c5ba108388bb] Could not index
event to Elasticsearch. {:status=>400, :action=>["index",
{:_id=>nil, :_index=>"yokogawa-yhq-zscaler1", :routing=>nil}, {"protocol"=>"HTTP",
"client.ip"=>"10.1.24.105", "riskscore"=>"0",
"useragent"=>"BuffaloNASSMART:8d7d2decdf0b347b14c543593ed8dde06edcc08c1f165ccb11f92
438a2217178f1a3e27347ed5e9fa2cda901457c7a718dc1a2e017584c18e6e5c9aab0edd25d,TS5210D
,5.64-
0.09,1,bfd92c2fc11ba4e35002949032be386f75a16e247ffcff5f1109ee38f22d82ad10c68226a4d7
4fac3e2d50218751905f0e2471d0737770dbe6bf826a8102ca4b,WDC WD10EFRX-
68FYTN0,82.00A82,513868214272,965794975744,0,0,raid1,,200,200,051,0x0,,,,,161,132,0
21,0xb5c,100,100,000,0x15,200,200,140,0x0,,,,,200,200,000,0x0,,,,,066,066,000,0x62d
b,100,253,000,0x0,100,253,000,0x0,100,100,000,0x15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,200,200,000,0x9,200,200,000,0xb,114,108,000,0x1d,,,,,200,200,00
0,0x0,200,200,000,0x0,100,253,000,0x0,200,200,000,0x0,100,253,000,0x0,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,", "appname"=>"General Browsing",
"urlsupercat"=>"Education", "reason"=>"None", "rulelabel"=>"None", "stime"=>"5",
"ctime"=>"5", "unscannable"=>"Other", "client.hostname"=>"NA",
"file.subtype"=>"None", "log"=>{"file"=>{"path"=>"/var/log/zscaler/zscaler2.log-
2024022500-1708819201"}}, "http.response.bytes"=>"560", "dlpengine"=>"None",
"client.internetip"=>"None", "event"=>{"original"=>"Feb 24 23:54:17 bot001-
0z0149.jp.ykgw.net \"Sun Feb 25 08:53:46 2024\",\"yokogawa_JP_5DC_main-
>yokogawa_5DC_main_auth\",\"HTTP\",\"p.buffalo.jp/buffalo-
nas_smart_aitopredictfailure\",\"Allowed\",\"General Browsing\",\"General
Browsing\",\"1718\",\"560\",\"5\",\"5\",\"Business
Use\",\"Education\",\"Science/Tech\",\"None\",\"None\",\"0\",\"None\",\"None\",\"yo
kogawa_JP_5DC_main->yokogawa_5DC_main_auth\",\"Default
Department\",\"10.1.24.105\",\"18.65.216.111\",\"GET\",\"200\",\"BuffaloNASSMART:8d
7d2decdf0b347b14c543593ed8dde06edcc08c1f165ccb11f92438a2217178f1a3e27347ed5e9fa2cda
901457c7a718dc1a2e017584c18e6e5c9aab0edd25d,TS5210D,5.64-
0.09,1,bfd92c2fc11ba4e35002949032be386f75a16e247ffcff5f1109ee38f22d82ad10c68226a4d7
4fac3e2d50218751905f0e2471d0737770dbe6bf826a8102ca4b,WDC WD10EFRX-
68FYTN0,82.00A82,513868214272,965794975744,0,0,raid1,,200,200,051,0x0,,,,,161,132,0
21,0xb5c,100,100,000,0x15,200,200,140,0x0,,,,,200,200,000,0x0,,,,,066,066,000,0x62d
b,100,253,000,0x0,100,253,000,0x0,100,100,000,0x15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,200,200,000,0x9,200,200,000,0xb,114,108,000,0x1d,,,,,200,200,00
0,0x0,200,200,000,0x0,100,253,000,0x0,200,200,000,0x0,100,253,000,0x0,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\",\"None\",\"None\",\"None\",\"Other\",\"
None\",\"NA\",\"NA\",\"None\",\"None\",\"None\",\"None\",\"None\",\"210.160.226.16\
",\"None\",\"None\",\"None\",\"Allowed\""}, "@version"=>"1", "appclass"=>"General
Browsing", "contenttype"=>"None", "action"=>"Allowed", "file.type"=>"None",
"@timestamp"=>2024-02-24T23:53:46.000Z, "dlpdictionary"=>"None", "timestamp"=>"Sun
Feb 25 08:53:46 2024", "http.request.method"=>"GET", "urldomain"=>"p.buffalo.jp",
"http.response.status_code"=>"200", "destination.ip"=>"18.65.216.111",
"location"=>"yokogawa_JP_5DC_main->yokogawa_5DC_main_auth", "urlclass"=>"Business
Use", "file.name"=>"None", "column44"=>"Allowed", "client.name"=>"None",
"http.request.bytes"=>"1718", "file.hash.md5"=>"NA", "malwareclass"=>"None",
"threatname"=>"210.160.226.16", "file.class"=>"None", "urlcat"=>"Science/Tech",
"url"=>"p.buffalo.jp/buffalo-nas_smart_aitopredictfailure", "malwarecat"=>"None",
"ruletype"=>"None"}], :response=>{"index"=>{"status"=>400,
"error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:1995] failed to parse
field [client.internetip] of type [ip] in document with id 'k5CS3Y0BVklrXWJFQFQk'.
Preview of field's value: 'None'",
"caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'None' is not an IP
string literal."}}}}}
[2024-02-25T00:02:46,033][WARN ][logstash.outputs.elasticsearch][zscaler]
[c737978fd5a2978fe26502c76557710a8c3a66b77a5a753c6242c5ba108388bb] Could not index
event to Elasticsearch. {:status=>400, :action=>["index",
{:_id=>nil, :_index=>"yokogawa-yhq-zscaler1", :routing=>nil}, {"protocol"=>"HTTP",
"client.ip"=>"10.1.24.105", "riskscore"=>"0",
"useragent"=>"BuffaloNASSMART:8d7d2decdf0b347b14c543593ed8dde06edcc08c1f165ccb11f92
438a2217178f1a3e27347ed5e9fa2cda901457c7a718dc1a2e017584c18e6e5c9aab0edd25d,TS5210D
,5.64-
0.09,2,9775648a6ea12c57fa96672fe3d0492d3785a220f8ca8ae1d667dbad5123d19598d6ad071f3f
cedc2dd3dfa9ec2c90cc8f139d2ba0b4b1f55b868eb4f7e19b38,WDC WD10EFRX-
68FYTN0,82.00A82,513868214272,965794975744,0,0,raid1,,200,200,051,0x0,,,,,135,135,0
21,0x1091,100,100,000,0x14,200,200,140,0x0,,,,,200,200,000,0x0,,,,,066,066,000,0x62
d8,100,253,000,0x0,100,253,000,0x0,100,100,000,0x14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,200,200,000,0x8,200,200,000,0xb,112,108,000,0x1f,,,,,200,200,0
00,0x0,200,200,000,0x0,100,253,000,0x0,200,200,000,0x0,100,253,000,0x0,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,", "appname"=>"General Browsing",
"urlsupercat"=>"Education", "reason"=>"None", "rulelabel"=>"None", "stime"=>"5",
"ctime"=>"6", "unscannable"=>"Other", "client.hostname"=>"NA",
"file.subtype"=>"None", "log"=>{"file"=>{"path"=>"/var/log/zscaler/zscaler2.log-
2024022500-1708819201"}}, "http.response.bytes"=>"560", "dlpengine"=>"None",
"client.internetip"=>"None", "event"=>{"original"=>"Feb 24 23:54:18 bot001-
0z0149.jp.ykgw.net \"Sun Feb 25 08:53:46 2024\",\"yokogawa_JP_5DC_main-
>yokogawa_5DC_main_auth\",\"HTTP\",\"p.buffalo.jp/buffalo-
nas_smart_aitopredictfailure\",\"Allowed\",\"General Browsing\",\"General
Browsing\",\"1719\",\"560\",\"5\",\"6\",\"Business
Use\",\"Education\",\"Science/Tech\",\"None\",\"None\",\"0\",\"None\",\"None\",\"yo
kogawa_JP_5DC_main->yokogawa_5DC_main_auth\",\"Default
Department\",\"10.1.24.105\",\"18.65.216.109\",\"GET\",\"200\",\"BuffaloNASSMART:8d
7d2decdf0b347b14c543593ed8dde06edcc08c1f165ccb11f92438a2217178f1a3e27347ed5e9fa2cda
901457c7a718dc1a2e017584c18e6e5c9aab0edd25d,TS5210D,5.64-
0.09,2,9775648a6ea12c57fa96672fe3d0492d3785a220f8ca8ae1d667dbad5123d19598d6ad071f3f
cedc2dd3dfa9ec2c90cc8f139d2ba0b4b1f55b868eb4f7e19b38,WDC WD10EFRX-
68FYTN0,82.00A82,513868214272,965794975744,0,0,raid1,,200,200,051,0x0,,,,,135,135,0
21,0x1091,100,100,000,0x14,200,200,140,0x0,,,,,200,200,000,0x0,,,,,066,066,000,0x62
d8,100,253,000,0x0,100,253,000,0x0,100,100,000,0x14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,200,200,000,0x8,200,200,000,0xb,112,108,000,0x1f,,,,,200,200,0
00,0x0,200,200,000,0x0,100,253,000,0x0,200,200,000,0x0,100,253,000,0x0,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\",\"None\",\"None\",\"None\",\"Other\",\
"None\",\"NA\",\"NA\",\"None\",\"None\",\"None\",\"None\",\"None\",\"210.160.226.16
\",\"None\",\"None\",\"None\",\"Allowed\""}, "@version"=>"1", "appclass"=>"General
Browsing", "contenttype"=>"None", "action"=>"Allowed", "file.type"=>"None",
"@timestamp"=>2024-02-24T23:53:46.000Z, "dlpdictionary"=>"None", "timestamp"=>"Sun
Feb 25 08:53:46 2024", "http.request.method"=>"GET", "urldomain"=>"p.buffalo.jp",
"http.response.status_code"=>"200", "destination.ip"=>"18.65.216.109",
"location"=>"yokogawa_JP_5DC_main->yokogawa_5DC_main_auth", "urlclass"=>"Business
Use", "file.name"=>"None", "column44"=>"Allowed", "client.name"=>"None",
"http.request.bytes"=>"1719", "file.hash.md5"=>"NA", "malwareclass"=>"None",
"threatname"=>"210.160.226.16", "file.class"=>"None", "urlcat"=>"Science/Tech",
"url"=>"p.buffalo.jp/buffalo-nas_smart_aitopredictfailure", "malwarecat"=>"None",
"ruletype"=>"None"}], :response=>{"index"=>{"status"=>400,
"error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:1996] failed to parse
field [client.internetip] of type [ip] in document with id '5pCS3Y0BVklrXWJFQFVo'.
Preview of field's value: 'None'",
"caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'None' is not an IP
string literal."}}}}}
[2024-02-25T01:30:34,532][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
01:20:24 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 10:18:46
2024\\\",\\\"kouichi.oono@yokogawa.com\\\",\\\"HTTPS\\\",\\\"manager.snar.jp/
contents/applicantdetail/download_dssreport.aspx?
StepNo=442&OBSID=00019539\\\",\\\"Allowed\\\",\\\"General Browsing\\\",\\\"General
Browsing\\\",\\\"1300\\\",\\\"106633\\\",\\\"303\\\",\\\"367\\\",\\\"Business
Use\\\",\\\"Business and Economy\\\",\\\"Professional
Services\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Road
Warrior\\\",\\\"YPHQ CONC Edge Sol. Div. Hardware Dept. Sec.
1\\\",\\\"192.168.3.24\\\",\\\"13.107.213.46\\\",\\\"GET\\\",\\\"200\\\",\\\"Mozill
a/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/121.0.0.0 Safari/537.36
Edg/121.0.0.0\\\",\\\"manager.snar.jp/v2/tablet/inputevaluation\\\",\\\"None\\\",\\
\"None\\\",\\\"application/
pdf\\\",\\\"None\\\",\\\"00111859\\\",\\\"CPCaVIJ0xFBrut9\\\",\\\"None\\\",\\\"Othe
r Documents\\\",\\\"Portable Document Format (pdf)\\\",\\\"pdf\\\",\\\"DSS\\x83\\
x8C\\x83|\\x81[\\
x83g_00019539.pdf\\\",\\\"60.64.171.145\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",
\\\"Allowed\\\"", :expected_charset=>"UTF-8"}
[2024-02-25T01:30:59,043][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
01:23:04 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 10:21:50
2024\\\",\\\"takuya.yokosuka@yokogawa.com\\\",\\\"HTTPS\\\",\\\"manager.snar.jp/
contents/applicantdetail/download_dssreport.aspx?
StepNo=442&OBSID=00020681\\\",\\\"Allowed\\\",\\\"General Browsing\\\",\\\"General
Browsing\\\",\\\"1307\\\",\\\"105708\\\",\\\"827\\\",\\\"902\\\",\\\"Business
Use\\\",\\\"Business and Economy\\\",\\\"Professional
Services\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Road
Warrior\\\",\\\"D-Sol HQ SDC Systems Software R&D Dept. Tech. Sec.
1\\\",\\\"192.168.1.8\\\",\\\"13.107.246.46\\\",\\\"GET\\\",\\\"200\\\",\\\"Mozilla
/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/122.0.0.0 Safari/537.36
Edg/122.0.0.0\\\",\\\"manager.snar.jp/v2/tablet/inputevaluation\\\",\\\"None\\\",\\
\"None\\\",\\\"application/
pdf\\\",\\\"None\\\",\\\"00112345\\\",\\\"CPCpxU7HlLYE0ca\\\",\\\"None\\\",\\\"Othe
r Documents\\\",\\\"Portable Document Format (pdf)\\\",\\\"pdf\\\",\\\"DSS\\x83\\
x8C\\x83|\\x81[\\
x83g_00020681.pdf\\\",\\\"133.200.220.0\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",
\\\"Allowed\\\"", :expected_charset=>"UTF-8"}
[2024-02-25T01:45:44,648][WARN ][logstash.outputs.elasticsearch][zscaler]
[c737978fd5a2978fe26502c76557710a8c3a66b77a5a753c6242c5ba108388bb] Could not index
event to Elasticsearch. {:status=>400, :action=>["index",
{:_id=>nil, :_index=>"yokogawa-yhq-zscaler1", :routing=>nil}, {"protocol"=>"HTTP",
"client.ip"=>"10.24.32.37", "riskscore"=>"0",
"useragent"=>"BuffaloNASSMART:1ea3d446a278727f18bae99630335d49b3785b14ce4c6ecd7c510
fb4c1d1c27ca5e5d7ad093b4193aa2823d87b4ec15edccd0ab3e137d94d131c0ad4054beb24,TS5410D
,5.80-
0.02,1,8fc63ffe7534d7ab973ded7ab5f52a2a290053665627f739b5c16894548eb5b6bad721a04025
808c0fa7eb8c5ff806d3bf98f13eefa6d769e3b4c3f3599d30d0,ST2000VN004-
2E4164,SC60,749730381824,5900945850368,0,0,raid5,,120,099,006,0xe1e9928,,,,,096,095
,000,0x0,100,100,020,0x1d,100,100,010,0x0,,,,,087,060,030,0x23de575b,,,,,080,080,00
0,0x45a7,100,100,097,0x0,,,,,100,100,020,0x1d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,100,099,0x0,,
,,,,,,,100,100,000,0x0,100,100,000,0x0,093,093,000,0x7,075,069,045,0x19,100,100,000
,0x0,100,100,000,0x12,100,100,000,0x4f,025,040,000,0x19,,,,,,,,,100,100,000,0x0,100
,100,000,0x0,200,200,000,0x0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,", "appname"=>"General Browsing", "urlsupercat"=>"Education", "reason"=>"None",
"rulelabel"=>"None", "stime"=>"6", "ctime"=>"6", "unscannable"=>"Other",
"client.hostname"=>"NA", "file.subtype"=>"None",
"log"=>{"file"=>{"path"=>"/var/log/zscaler/zscaler2.log-2024022501-1708825502"}},
"http.response.bytes"=>"560", "dlpengine"=>"None", "client.internetip"=>"None",
"event"=>{"original"=>"Feb 25 01:31:34 bot001-0z0149.jp.ykgw.net \"Sun Feb 25
10:30:21 2024\",\"yokogawa_JP_5DC_main->Server id Relc Proxy id Exchange
noauth\",\"HTTP\",\"p.buffalo.jp/buffalo-
nas_smart_aitopredictfailure\",\"Allowed\",\"General Browsing\",\"General
Browsing\",\"1894\",\"560\",\"6\",\"6\",\"Business
Use\",\"Education\",\"Science/Tech\",\"None\",\"None\",\"0\",\"None\",\"None\",\"yo
kogawa_JP_5DC_main->Server id Relc Proxy id Exchange noauth\",\"Default
Department\",\"10.24.32.37\",\"13.32.50.44\",\"GET\",\"200\",\"BuffaloNASSMART:1ea3
d446a278727f18bae99630335d49b3785b14ce4c6ecd7c510fb4c1d1c27ca5e5d7ad093b4193aa2823d
87b4ec15edccd0ab3e137d94d131c0ad4054beb24,TS5410D,5.80-
0.02,1,8fc63ffe7534d7ab973ded7ab5f52a2a290053665627f739b5c16894548eb5b6bad721a04025
808c0fa7eb8c5ff806d3bf98f13eefa6d769e3b4c3f3599d30d0,ST2000VN004-
2E4164,SC60,749730381824,5900945850368,0,0,raid5,,120,099,006,0xe1e9928,,,,,096,095
,000,0x0,100,100,020,0x1d,100,100,010,0x0,,,,,087,060,030,0x23de575b,,,,,080,080,00
0,0x45a7,100,100,097,0x0,,,,,100,100,020,0x1d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,100,099,0x0,,
,,,,,,,100,100,000,0x0,100,100,000,0x0,093,093,000,0x7,075,069,045,0x19,100,100,000
,0x0,100,100,000,0x12,100,100,000,0x4f,025,040,000,0x19,,,,,,,,,100,100,000,0x0,100
,100,000,0x0,200,200,000,0x0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,\",\"None\",\"None\",\"None\",\"Other\",\"None\",\"NA\",\"NA\",\"None\",\"None\
",\"None\",\"None\",\"None\",\"210.160.226.16\",\"None\",\"None\",\"None\",\"Allowe
d\""}, "@version"=>"1", "appclass"=>"General Browsing", "contenttype"=>"None",
"action"=>"Allowed", "file.type"=>"None", "@timestamp"=>2024-02-25T01:30:21.000Z,
"dlpdictionary"=>"None", "timestamp"=>"Sun Feb 25 10:30:21 2024",
"http.request.method"=>"GET", "urldomain"=>"p.buffalo.jp",
"http.response.status_code"=>"200", "destination.ip"=>"13.32.50.44",
"location"=>"yokogawa_JP_5DC_main->Server id Relc Proxy id Exchange noauth",
"urlclass"=>"Business Use", "file.name"=>"None", "column44"=>"Allowed",
"client.name"=>"None", "http.request.bytes"=>"1894", "file.hash.md5"=>"NA",
"malwareclass"=>"None", "threatname"=>"210.160.226.16", "file.class"=>"None",
"urlcat"=>"Science/Tech", "url"=>"p.buffalo.jp/buffalo-
nas_smart_aitopredictfailure", "malwarecat"=>"None",
"ruletype"=>"None"}], :response=>{"index"=>{"status"=>400,
"error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:2040] failed to parse
field [client.internetip] of type [ip] in document with id 'zDHw3Y0B0DUfrktZh1hu'.
Preview of field's value: 'None'",
"caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'None' is not an IP
string literal."}}}}}
[2024-02-25T02:00:13,968][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
01:45:51 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 10:44:18
2024\\\",\\\"takuya.yokosuka@yokogawa.com\\\",\\\"HTTPS\\\",\\\"manager.snar.jp/
contents/applicantdetail/download_dssreport.aspx?
StepNo=442&OBSID=00019496\\\",\\\"Allowed\\\",\\\"General Browsing\\\",\\\"General
Browsing\\\",\\\"1307\\\",\\\"120587\\\",\\\"3459\\\",\\\"3540\\\",\\\"Business
Use\\\",\\\"Business and Economy\\\",\\\"Professional
Services\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Road
Warrior\\\",\\\"D-Sol HQ SDC Systems Software R&D Dept. Tech. Sec.
1\\\",\\\"192.168.1.8\\\",\\\"13.107.213.46\\\",\\\"GET\\\",\\\"200\\\",\\\"Mozilla
/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/122.0.0.0 Safari/537.36
Edg/122.0.0.0\\\",\\\"manager.snar.jp/v2/tablet/inputevaluation\\\",\\\"None\\\",\\
\"None\\\",\\\"application/
pdf\\\",\\\"None\\\",\\\"00112345\\\",\\\"CPCpxU7HlLYE0ca\\\",\\\"None\\\",\\\"Othe
r Documents\\\",\\\"Portable Document Format (pdf)\\\",\\\"pdf\\\",\\\"DSS\\x83\\
x8C\\x83|\\x81[\\
x83g_00019496.pdf\\\",\\\"133.200.220.0\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",
\\\"Allowed\\\"", :expected_charset=>"UTF-8"}
[2024-02-25T02:00:30,601][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
01:47:19 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 10:46:05
2024\\\",\\\"takuya.yokosuka@yokogawa.com\\\",\\\"HTTPS\\\",\\\"manager.snar.jp/
contents/applicantdetail/download_dssreport.aspx?
StepNo=442&OBSID=00019496\\\",\\\"Allowed\\\",\\\"General Browsing\\\",\\\"General
Browsing\\\",\\\"1307\\\",\\\"120587\\\",\\\"356\\\",\\\"438\\\",\\\"Business
Use\\\",\\\"Business and Economy\\\",\\\"Professional
Services\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Road
Warrior\\\",\\\"D-Sol HQ SDC Systems Software R&D Dept. Tech. Sec.
1\\\",\\\"192.168.1.8\\\",\\\"13.107.213.46\\\",\\\"GET\\\",\\\"200\\\",\\\"Mozilla
/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/122.0.0.0 Safari/537.36
Edg/122.0.0.0\\\",\\\"manager.snar.jp/v2/tablet/inputevaluation\\\",\\\"None\\\",\\
\"None\\\",\\\"application/
pdf\\\",\\\"None\\\",\\\"00112345\\\",\\\"CPCpxU7HlLYE0ca\\\",\\\"None\\\",\\\"Othe
r Documents\\\",\\\"Portable Document Format (pdf)\\\",\\\"pdf\\\",\\\"DSS\\x83\\
x8C\\x83|\\x81[\\
x83g_00019496.pdf\\\",\\\"133.200.220.0\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",
\\\"Allowed\\\"", :expected_charset=>"UTF-8"}
[2024-02-25T02:16:11,130][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
02:06:23 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 11:05:09
2024\\\",\\\"takuya.yokosuka@yokogawa.com\\\",\\\"HTTPS\\\",\\\"manager.snar.jp/
contents/applicantdetail/download_dssreport.aspx?
StepNo=442&OBSID=00020681\\\",\\\"Allowed\\\",\\\"General Browsing\\\",\\\"General
Browsing\\\",\\\"1307\\\",\\\"105708\\\",\\\"343\\\",\\\"490\\\",\\\"Business
Use\\\",\\\"Business and Economy\\\",\\\"Professional
Services\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Road
Warrior\\\",\\\"D-Sol HQ SDC Systems Software R&D Dept. Tech. Sec.
1\\\",\\\"192.168.1.8\\\",\\\"13.107.213.46\\\",\\\"GET\\\",\\\"200\\\",\\\"Mozilla
/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/122.0.0.0 Safari/537.36
Edg/122.0.0.0\\\",\\\"manager.snar.jp/v2/tablet/inputevaluation\\\",\\\"None\\\",\\
\"None\\\",\\\"application/
pdf\\\",\\\"None\\\",\\\"00112345\\\",\\\"CPCpxU7HlLYE0ca\\\",\\\"None\\\",\\\"Othe
r Documents\\\",\\\"Portable Document Format (pdf)\\\",\\\"pdf\\\",\\\"DSS\\x83\\
x8C\\x83|\\x81[\\
x83g_00020681.pdf\\\",\\\"133.200.220.0\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",
\\\"Allowed\\\"", :expected_charset=>"UTF-8"}
[2024-02-25T02:45:22,014][WARN ][logstash.outputs.elasticsearch][zscaler]
[c737978fd5a2978fe26502c76557710a8c3a66b77a5a753c6242c5ba108388bb] Could not index
event to Elasticsearch. {:status=>400, :action=>["index",
{:_id=>nil, :_index=>"yokogawa-yhq-zscaler1", :routing=>nil}, {"protocol"=>"HTTP",
"client.ip"=>"10.24.32.37", "riskscore"=>"0",
"useragent"=>"BuffaloNASSMART:f871adaa531dfc22aca1fb0d2f9629cf680bfca7384accf8e1c28
19430cc7b8140168d55734b44f9d91e171b73083c5579bb7c8a659148c60f512f473409a8f3,TS3420D
,5.80-
0.02,1,237d8039532a99aaa261cabd21f49c5a5cd93563689565bc0c2644e9cdd16297d348c3801a2a
f0dc64f70b3f2194942b9b8111c13b018a9cf49f24541de13dab,ST2000VN004-
2E4164,SC60,1485368467456,3930608918528,0,0,raid6,,119,099,006,0xc068da0,,,,,097,09
6,000,0x0,100,100,020,0x23,100,100,010,0x0,,,,,080,060,030,0x6e0a3c7,,,,,079,079,00
0,0x4a84,100,100,097,0x0,,,,,100,100,020,0x23,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,100,099,0x0,,
,,,,,,,100,100,000,0x0,100,100,000,0x0,083,083,000,0x11,072,060,045,0x1c,100,100,00
0,0x0,100,100,000,0x1a,100,100,000,0x55,028,040,000,0x1c,,,,,,,,,100,100,000,0x0,10
0,100,000,0x0,200,200,000,0x0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,", "appname"=>"General Browsing", "urlsupercat"=>"Education", "reason"=>"None",
"rulelabel"=>"None", "stime"=>"6", "ctime"=>"7", "unscannable"=>"Other",
"client.hostname"=>"NA", "file.subtype"=>"None",
"log"=>{"file"=>{"path"=>"/var/log/zscaler/zscaler2.log-2024022502-1708829101"}},
"http.response.bytes"=>"560", "dlpengine"=>"None", "client.internetip"=>"None",
"event"=>{"original"=>"Feb 25 02:30:32 bot001-0z0149.jp.ykgw.net \"Sun Feb 25
11:30:02 2024\",\"yokogawa_JP_5DC_main->Server id Relc Proxy id Exchange
noauth\",\"HTTP\",\"p.buffalo.jp/buffalo-
nas_smart_aitopredictfailure\",\"Allowed\",\"General Browsing\",\"General
Browsing\",\"1896\",\"560\",\"6\",\"7\",\"Business
Use\",\"Education\",\"Science/Tech\",\"None\",\"None\",\"0\",\"None\",\"None\",\"yo
kogawa_JP_5DC_main->Server id Relc Proxy id Exchange noauth\",\"Default
Department\",\"10.24.32.37\",\"13.32.50.63\",\"GET\",\"200\",\"BuffaloNASSMART:f871
adaa531dfc22aca1fb0d2f9629cf680bfca7384accf8e1c2819430cc7b8140168d55734b44f9d91e171
b73083c5579bb7c8a659148c60f512f473409a8f3,TS3420D,5.80-
0.02,1,237d8039532a99aaa261cabd21f49c5a5cd93563689565bc0c2644e9cdd16297d348c3801a2a
f0dc64f70b3f2194942b9b8111c13b018a9cf49f24541de13dab,ST2000VN004-
2E4164,SC60,1485368467456,3930608918528,0,0,raid6,,119,099,006,0xc068da0,,,,,097,09
6,000,0x0,100,100,020,0x23,100,100,010,0x0,,,,,080,060,030,0x6e0a3c7,,,,,079,079,00
0,0x4a84,100,100,097,0x0,,,,,100,100,020,0x23,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,100,099,0x0,,
,,,,,,,100,100,000,0x0,100,100,000,0x0,083,083,000,0x11,072,060,045,0x1c,100,100,00
0,0x0,100,100,000,0x1a,100,100,000,0x55,028,040,000,0x1c,,,,,,,,,100,100,000,0x0,10
0,100,000,0x0,200,200,000,0x0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,\",\"None\",\"None\",\"None\",\"Other\",\"None\",\"NA\",\"NA\",\"None\",\"None
\",\"None\",\"None\",\"None\",\"210.160.226.16\",\"None\",\"None\",\"None\",\"Allow
ed\""}, "@version"=>"1", "appclass"=>"General Browsing", "contenttype"=>"None",
"action"=>"Allowed", "file.type"=>"None", "@timestamp"=>2024-02-25T02:30:02.000Z,
"dlpdictionary"=>"None", "timestamp"=>"Sun Feb 25 11:30:02 2024",
"http.request.method"=>"GET", "urldomain"=>"p.buffalo.jp",
"http.response.status_code"=>"200", "destination.ip"=>"13.32.50.63",
"location"=>"yokogawa_JP_5DC_main->Server id Relc Proxy id Exchange noauth",
"urlclass"=>"Business Use", "file.name"=>"None", "column44"=>"Allowed",
"client.name"=>"None", "http.request.bytes"=>"1896", "file.hash.md5"=>"NA",
"malwareclass"=>"None", "threatname"=>"210.160.226.16", "file.class"=>"None",
"urlcat"=>"Science/Tech", "url"=>"p.buffalo.jp/buffalo-
nas_smart_aitopredictfailure", "malwarecat"=>"None",
"ruletype"=>"None"}], :response=>{"index"=>{"status"=>400,
"error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:2041] failed to parse
field [client.internetip] of type [ip] in document with id 'Co0n3o0BVklrXWJFHSqQ'.
Preview of field's value: 'None'",
"caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'None' is not an IP
string literal."}}}}}
[2024-02-25T02:46:58,327][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
02:43:05 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 11:42:34
2024\\\",\\\"jicang.wang@cn.yokogawa.com\\\",\\\"HTTPS\\\",\\\"us-
request.foxitservice.com/certs/?
id=8b01a388108b2887e436d57984f6aa57&product=phantom&version=11.2.1.53537&edition=St
andard&language=zh-
CN&distID=&eutl=0&token=0078b0e40e7498e98020757aaf20ce16\\\",\\\"Allowed\\\",\\\"Ge
neral Browsing\\\",\\\"General
Browsing\\\",\\\"343\\\",\\\"362\\\",\\\"181\\\",\\\"181\\\",\\\"Business
Use\\\",\\\"Internet Communication\\\",\\\"Internet
Services\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Road
Warrior\\\",\\\"Default
Department\\\",\\\"192.168.2.124\\\",\\\"64.62.208.12\\\",\\\"POST\\\",\\\"302\\\",
\\\"\\xB8\\xA3 꿸\\u07FC\\xB6PDF\\xB1 ༭\\xC6\\
xF7\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"text/
html\\\",\\\"None\\\",\\\"30019148\\\",\\\"cpc439-
da1046\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"112
.87.56.101\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"Allowed\\\"", :expected_c
harset=>"UTF-8"}
[2024-02-25T02:46:58,428][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
02:43:05 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 11:42:35
2024\\\",\\\"jicang.wang@cn.yokogawa.com\\\",\\\"HTTPS\\\",\\\"cdn01.foxitsoftware.
com/pub/foxit/addonservice/certs/phantom/
fatl.pdf\\\",\\\"Blocked\\\",\\\"Foxit\\\",\\\"System and
Development\\\",\\\"174\\\",\\\"14830\\\",\\\"0\\\",\\\"0\\\",\\\"Business
Use\\\",\\\"Business and Economy\\\",\\\"Corporate
Marketing\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Roa
d Warrior\\\",\\\"Default
Department\\\",\\\"192.168.2.124\\\",\\\"64.62.153.144\\\",\\\"GET\\\",\\\"403\\\",
\\\"\\xB8\\xA3 꿸\\u07FC\\xB6PDF\\xB1 ༭\\xC6\\
xF7\\\",\\\"None\\\",\\\"DevTools\\\",\\\"System_Develop_block_YCI_Group\\\",\\\"Ot
her\\\",\\\"None\\\",\\\"30019148\\\",\\\"cpc439-
da1046\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"fatl.pdf\\\",\\\
"112.87.56.101\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"Not allowed the use
of this system and development site\\\"", :expected_charset=>"UTF-8"}
[2024-02-25T02:46:58,610][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
02:43:06 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 11:42:36
2024\\\",\\\"jicang.wang@cn.yokogawa.com\\\",\\\"HTTPS\\\",\\\"us-
request.foxitservice.com/certs/?
id=23b9bcb725f190a2172b0d8ee1584c10&product=phantom&version=11.2.1.53537&edition=St
andard&language=zh-
CN&distID=&eutl=1&token=eb0ad20eed44e055fdbf241e484e54b0\\\",\\\"Allowed\\\",\\\"Ge
neral Browsing\\\",\\\"General
Browsing\\\",\\\"343\\\",\\\"362\\\",\\\"168\\\",\\\"168\\\",\\\"Business
Use\\\",\\\"Internet Communication\\\",\\\"Internet
Services\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Road
Warrior\\\",\\\"Default
Department\\\",\\\"192.168.2.124\\\",\\\"64.62.208.12\\\",\\\"POST\\\",\\\"302\\\",
\\\"\\xB8\\xA3 꿸\\u07FC\\xB6PDF\\xB1 ༭\\xC6\\
xF7\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"text/
html\\\",\\\"None\\\",\\\"30019148\\\",\\\"cpc439-
da1046\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"112
.87.56.101\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"Allowed\\\"", :expected_c
harset=>"UTF-8"}
[2024-02-25T02:46:58,629][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
02:43:06 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 11:42:36
2024\\\",\\\"jicang.wang@cn.yokogawa.com\\\",\\\"HTTPS\\\",\\\"cdn01.foxitsoftware.
com/pub/foxit/addonservice/certs/phantom/
eutl.pdf\\\",\\\"Blocked\\\",\\\"Foxit\\\",\\\"System and
Development\\\",\\\"174\\\",\\\"14830\\\",\\\"0\\\",\\\"0\\\",\\\"Business
Use\\\",\\\"Business and Economy\\\",\\\"Corporate
Marketing\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Roa
d Warrior\\\",\\\"Default
Department\\\",\\\"192.168.2.124\\\",\\\"64.62.153.144\\\",\\\"GET\\\",\\\"403\\\",
\\\"\\xB8\\xA3 꿸\\u07FC\\xB6PDF\\xB1 ༭\\xC6\\
xF7\\\",\\\"None\\\",\\\"DevTools\\\",\\\"System_Develop_block_YCI_Group\\\",\\\"Ot
her\\\",\\\"None\\\",\\\"30019148\\\",\\\"cpc439-
da1046\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"eutl.pdf\\\",\\\
"112.87.56.101\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",\\\"Not allowed the use
of this system and development site\\\"", :expected_charset=>"UTF-8"}
[2024-02-25T03:08:42,600][INFO ][logstash.pipelineaction.reload] Reloading pipeline
{"pipeline.id"=>:azure_waf_access}
[2024-02-25T03:08:42,875][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Unregistering
Event Hub this can take a while... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:08:42,876][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: Stopping event processing
[2024-02-25T03:08:42,876][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: Shutting down all pumps
[2024-02-25T03:08:42,876][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 1: closing pump for reason Shutdown
[2024-02-25T03:08:42,876][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 1: pump shutdown for reason Shutdown
[2024-02-25T03:08:42,876][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 3: closing pump for reason Shutdown
[2024-02-25T03:08:42,876][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 3: pump shutdown for reason Shutdown
[2024-02-25T03:08:42,877][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 1: Setting receive handler to null
[2024-02-25T03:08:42,878][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 3: Setting receive handler to null
[2024-02-25T03:08:42,897][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Unregistering
Event Hub this can take a while... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:08:42,902][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: Stopping event processing
[2024-02-25T03:08:42,902][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: Shutting down all pumps
[2024-02-25T03:08:42,903][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 0: closing pump for reason Shutdown
[2024-02-25T03:08:42,903][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 0: pump shutdown for reason Shutdown
[2024-02-25T03:08:42,903][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 2: closing pump for reason Shutdown
[2024-02-25T03:08:42,903][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 2: pump shutdown for reason Shutdown
[2024-02-25T03:08:42,917][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 0: Setting receive handler to null
[2024-02-25T03:08:42,918][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 2: Setting receive handler to null
[2024-02-25T03:08:47,851][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:08:47,860][ERROR][org.logstash.execution.ShutdownWatcherExt] The
shutdown process appears to be stalled due to busy or blocked plugins. Check the
logs for more information.
[2024-02-25T03:08:50,552][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (3) as per the request.
[2024-02-25T03:08:50,553][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 3: Closing EH receiver
[2024-02-25T03:08:50,553][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[PR_a02338_1708758473675_MF_a7fcfa_1708758473372]
[2024-02-25T03:08:50,553][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[PR_a02338_1708758473675_MF_a7fcfa_1708758473372-InternalReceiver]
[2024-02-25T03:08:50,553][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
clientEntity[PR_a02338_1708758473675_MF_a7fcfa_1708758473372-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:08:50,553][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[PR_a02338_1708758473675_MF_a7fcfa_1708758473372-InternalReceiver],
linkName[LN_cf0c52_1708758473949_f80_G19], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:50,553][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] closeSession for
clientName[PR_a02338_1708758473675_MF_a7fcfa_1708758473372-InternalReceiver],
linkName[LN_cf0c52_1708758473949_f80_G19], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:50,554][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], entityName[MF_a7fcfa_1708758473372], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:08:50,561][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[PR_a02338_1708758473675_MF_a7fcfa_1708758473372-
InternalReceiver], linkName[LN_cf0c52_1708758473949_f80_G19], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:50,561][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[PR_a02338_1708758473675_MF_a7fcfa_1708758473372-InternalReceiver],
linkName[LN_cf0c52_1708758473949_f80_G19], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:50,561][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], entityName[MF_a7fcfa_1708758473372], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:08:50,561][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 3: Closing EH client
[2024-02-25T03:08:50,561][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[EC_19d06e_1708758473372]
[2024-02-25T03:08:50,561][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[MF_a7fcfa_1708758473372]
[2024-02-25T03:08:50,561][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_a7fcfa_1708758473372], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:50,562][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:50,562][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:50,562][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:50,562][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_a7fcfa_1708758473372],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:08:50,563][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
requestResponseChannel.onClose complete clientId[MF_a7fcfa_1708758473372],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
messagingFactory[MF_a7fcfa_1708758473372], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_a7fcfa_1708758473372],
errorCondition[null], errorDescription[null]
[2024-02-25T03:08:50,564][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionError messagingFactory[MF_a7fcfa_1708758473372], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_a7fcfa_1708758473372], error[n/a]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onTransportClosed name[MF_a7fcfa_1708758473372], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:08:50,564][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_a7fcfa_1708758473372], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:08:50,565][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onSessionFinal
connectionId[MF_a7fcfa_1708758473372], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:08:50,565][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onSessionFinal
connectionId[MF_a7fcfa_1708758473372], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3], condition[null],
description[null]
[2024-02-25T03:08:50,565][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_a7fcfa_1708758473372], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:50,565][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
messagingFactory[MF_a7fcfa_1708758473372], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:08:50,570][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is closing.
(reason=Shutdown)
[2024-02-25T03:08:52,877][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:08:57,902][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:08:59,870][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (2) as per the request.
[2024-02-25T03:08:59,871][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 2: Closing EH receiver
[2024-02-25T03:08:59,871][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[PR_bf2099_1708758473634_MF_17abfe_1708758473382]
[2024-02-25T03:08:59,871][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[PR_bf2099_1708758473634_MF_17abfe_1708758473382-InternalReceiver]
[2024-02-25T03:08:59,871][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
clientEntity[PR_bf2099_1708758473634_MF_17abfe_1708758473382-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:08:59,871][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[PR_bf2099_1708758473634_MF_17abfe_1708758473382-InternalReceiver],
linkName[LN_18206b_1708758473937_168_G28], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:59,871][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] closeSession for
clientName[PR_bf2099_1708758473634_MF_17abfe_1708758473382-InternalReceiver],
linkName[LN_18206b_1708758473937_168_G28], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:59,871][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], entityName[MF_17abfe_1708758473382], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:08:59,872][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[PR_bf2099_1708758473634_MF_17abfe_1708758473382-
InternalReceiver], linkName[LN_18206b_1708758473937_168_G28], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:59,872][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[PR_bf2099_1708758473634_MF_17abfe_1708758473382-InternalReceiver],
linkName[LN_18206b_1708758473937_168_G28], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:59,872][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], entityName[MF_17abfe_1708758473382], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:08:59,873][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 2: Closing EH client
[2024-02-25T03:08:59,874][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[EC_fe5771_1708758473382]
[2024-02-25T03:08:59,874][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[MF_17abfe_1708758473382]
[2024-02-25T03:08:59,874][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_17abfe_1708758473382], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:59,879][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:59,879][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:59,879][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:59,879][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_17abfe_1708758473382],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
requestResponseChannel.onClose complete clientId[MF_17abfe_1708758473382],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
messagingFactory[MF_17abfe_1708758473382], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_17abfe_1708758473382],
errorCondition[null], errorDescription[null]
[2024-02-25T03:08:59,880][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionError messagingFactory[MF_17abfe_1708758473382], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_17abfe_1708758473382], error[n/a]
[2024-02-25T03:08:59,880][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onTransportClosed name[MF_17abfe_1708758473382], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:08:59,881][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_17abfe_1708758473382], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:08:59,881][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onSessionFinal
connectionId[MF_17abfe_1708758473382], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:08:59,881][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onSessionFinal
connectionId[MF_17abfe_1708758473382], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2], condition[null],
description[null]
[2024-02-25T03:08:59,881][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_17abfe_1708758473382], errorCondition[null], errorDescription[null]
[2024-02-25T03:08:59,881][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
messagingFactory[MF_17abfe_1708758473382], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:08:59,881][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is closing.
(reason=Shutdown)
[2024-02-25T03:09:02,914][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:09:07,934][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:09:11,433][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (1) as per the request.
[2024-02-25T03:09:11,433][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 1: Closing EH receiver
[2024-02-25T03:09:11,433][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[PR_ca04d1_1708758508729_MF_4141f0_1708758508380]
[2024-02-25T03:09:11,433][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[PR_ca04d1_1708758508729_MF_4141f0_1708758508380-InternalReceiver]
[2024-02-25T03:09:11,433][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
clientEntity[PR_ca04d1_1708758508729_MF_4141f0_1708758508380-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:09:11,433][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[PR_ca04d1_1708758508729_MF_4141f0_1708758508380-InternalReceiver],
linkName[LN_15f943_1708758508939_168_G28], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:11,434][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] closeSession for
clientName[PR_ca04d1_1708758508729_MF_4141f0_1708758508380-InternalReceiver],
linkName[LN_15f943_1708758508939_168_G28], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:11,434][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], entityName[MF_4141f0_1708758508380], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:09:11,435][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[PR_ca04d1_1708758508729_MF_4141f0_1708758508380-
InternalReceiver], linkName[LN_15f943_1708758508939_168_G28], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:11,435][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[PR_ca04d1_1708758508729_MF_4141f0_1708758508380-InternalReceiver],
linkName[LN_15f943_1708758508939_168_G28], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:11,435][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], entityName[MF_4141f0_1708758508380], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:09:11,436][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: 1: Closing EH client
[2024-02-25T03:09:11,436][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[EC_978e42_1708758508380]
[2024-02-25T03:09:11,436][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[MF_4141f0_1708758508380]
[2024-02-25T03:09:11,440][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4141f0_1708758508380], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:11,441][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:11,441][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:11,441][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:11,441][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_4141f0_1708758508380],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:09:11,441][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:11,441][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:11,441][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:11,442][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:11,442][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
requestResponseChannel.onClose complete clientId[MF_4141f0_1708758508380],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:09:11,442][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
messagingFactory[MF_4141f0_1708758508380], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:09:11,442][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_4141f0_1708758508380],
errorCondition[null], errorDescription[null]
[2024-02-25T03:09:11,442][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionError messagingFactory[MF_4141f0_1708758508380], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:09:11,446][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4141f0_1708758508380], error[n/a]
[2024-02-25T03:09:11,446][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onTransportClosed name[MF_4141f0_1708758508380], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:09:11,446][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4141f0_1708758508380], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:09:11,446][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onSessionFinal
connectionId[MF_4141f0_1708758508380], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:09:11,446][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onSessionFinal
connectionId[MF_4141f0_1708758508380], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1], condition[null],
description[null]
[2024-02-25T03:09:11,446][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4141f0_1708758508380], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:11,446][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
messagingFactory[MF_4141f0_1708758508380], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:09:11,447][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is closing.
(reason=Shutdown)
[2024-02-25T03:09:11,447][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
4fcf2a0c-6330-4c70-849d-e9190b511e71: Partition manager exiting
[2024-02-25T03:09:11,448][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Event Hub
insights-logs-applicationgatewayaccesslog is closed.
[2024-02-25T03:09:12,949][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:09:17,968][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:09:22,987][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:09:28,013][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:09:33,025][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>83,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>63, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"d617b80a9c207d6e4740dd3510eff36e5c13c487c4e5f777a1c6e6a76a71011b"}]=>[{"thre
ad_id"=>81, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:09:35,041][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (0) as per the request.
[2024-02-25T03:09:35,041][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 0: Closing EH receiver
[2024-02-25T03:09:35,041][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[PR_303d89_1708758503869_MF_d101e6_1708758503406]
[2024-02-25T03:09:35,041][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[PR_303d89_1708758503869_MF_d101e6_1708758503406-InternalReceiver]
[2024-02-25T03:09:35,041][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
clientEntity[PR_303d89_1708758503869_MF_d101e6_1708758503406-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:09:35,041][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[PR_303d89_1708758503869_MF_d101e6_1708758503406-InternalReceiver],
linkName[LN_067512_1708758503941_c48d_G7], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:35,042][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] closeSession for
clientName[PR_303d89_1708758503869_MF_d101e6_1708758503406-InternalReceiver],
linkName[LN_067512_1708758503941_c48d_G7], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:35,043][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_d101e6_1708758503406], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:09:35,045][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[PR_303d89_1708758503869_MF_d101e6_1708758503406-
InternalReceiver], linkName[LN_067512_1708758503941_c48d_G7], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:35,049][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[PR_303d89_1708758503869_MF_d101e6_1708758503406-InternalReceiver],
linkName[LN_067512_1708758503941_c48d_G7], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:35,049][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_d101e6_1708758503406], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:09:35,049][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: 0: Closing EH client
[2024-02-25T03:09:35,049][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[EC_5ea8ac_1708758503406]
[2024-02-25T03:09:35,049][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] close:
clientId[MF_d101e6_1708758503406]
[2024-02-25T03:09:35,049][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_d101e6_1708758503406], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:35,050][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:35,050][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:35,050][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:35,050][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_d101e6_1708758503406],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:09:35,050][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:35,050][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:35,050][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:35,051][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:35,051][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
requestResponseChannel.onClose complete clientId[MF_d101e6_1708758503406],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:09:35,051][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
messagingFactory[MF_d101e6_1708758503406], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:09:35,051][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_d101e6_1708758503406],
errorCondition[null], errorDescription[null]
[2024-02-25T03:09:35,051][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionError messagingFactory[MF_d101e6_1708758503406], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:09:35,051][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_d101e6_1708758503406], error[n/a]
[2024-02-25T03:09:35,051][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onTransportClosed name[MF_d101e6_1708758503406], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:09:35,051][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_d101e6_1708758503406], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:09:35,051][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onSessionFinal
connectionId[MF_d101e6_1708758503406], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:09:35,051][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] onSessionFinal
connectionId[MF_d101e6_1708758503406], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0], condition[null],
description[null]
[2024-02-25T03:09:35,051][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_d101e6_1708758503406], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:35,051][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8]
messagingFactory[MF_d101e6_1708758503406], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:09:35,052][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is closing.
(reason=Shutdown)
[2024-02-25T03:09:35,052][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] host logstash-
cef0aa83-9c35-42e2-a918-73b7168b652d: Partition manager exiting
[2024-02-25T03:09:35,052][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[78531fe84654ace086979c513427236139b5dde3f5dcf9bff215f68685381eb8] Event Hub
insights-logs-applicationgatewayaccesslog is closed.
[2024-02-25T03:09:36,252][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline terminated {"pipeline.id"=>"azure_waf_access"}
[2024-02-25T03:09:37,714][INFO ][logstash.javapipeline ] Pipeline
`azure_waf_access` is configured with `pipeline.ecs_compatibility: v8` setting. All
plugins in this pipeline will default to `ecs_compatibility => v8` unless
explicitly configured otherwise.
[2024-02-25T03:09:37,738][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
New Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:09:37,807][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Elasticsearch pool URLs updated {:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:09:37,920][WARN ][logstash.outputs.elasticsearch][azure_waf_access]
Restored connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:09:37,927][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Elasticsearch version determined (8.10.3) {:es_version=>8}
[2024-02-25T03:09:37,927][WARN ][logstash.outputs.elasticsearch][azure_waf_access]
Detected a 6.x and above cluster: the `type` event field won't be used to determine
the document _type {:es_version=>8}
[2024-02-25T03:09:37,947][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Not eligible for data streams because config contains one or more settings that are
not compatible with data streams: {"ilm_enabled"=>"true",
"ilm_rollover_alias"=>"yokogawa-azure-waf", "ilm_policy"=>"yokogawa-ilm-policy",
"ilm_pattern"=>"000001"}
[2024-02-25T03:09:37,948][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Data streams auto configuration (`data_stream => auto` or unset) resolved to
`false`
[2024-02-25T03:09:37,956][INFO ][logstash.filters.json ][azure_waf_access] ECS
compatibility is enabled but `target` option was not specified. This may cause
fields to be set at the top-level of the event where they are likely to clash with
the Elastic Common Schema. It is recommended to set the `target` option to avoid
potential schema conflicts (if your data is ECS compliant or non-conflicting, feel
free to ignore this message)
[2024-02-25T03:09:37,962][WARN ][logstash.filters.geoip ][azure_waf_access] ECS
expect `target` value `geoip` in ["client", "destination", "host", "observer",
"server", "source"]
[2024-02-25T03:09:37,965][INFO ][logstash.filters.geoip.databasemanager]
[azure_waf_access] By not manually configuring a database path with `database =>`,
you accepted and agreed MaxMind EULA. For more details please visit
https://www.maxmind.com/en/geolite2/eula
[2024-02-25T03:09:37,965][INFO ][logstash.filters.geoip ][azure_waf_access] Using
geoip database
{:path=>"/var/lib/logstash/plugins/filters/geoip/1708740948/GeoLite2-City.mmdb"}
[2024-02-25T03:09:37,968][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:09:37,975][WARN ][logstash.javapipeline ][azure_waf_access]
'pipeline.ordered' is enabled and is likely less efficient, consider disabling if
preserving event order is not necessary
[2024-02-25T03:09:37,979][INFO ][logstash.javapipeline ][azure_waf_access]
Starting pipeline {:pipeline_id=>"azure_waf_access", "pipeline.workers"=>1,
"pipeline.batch.size"=>125, "pipeline.batch.delay"=>50,
"pipeline.max_inflight"=>125, "pipeline.sources"=>["/etc/logstash/conf.d/yhq-
azurewaf-accesslog.conf"], :thread=>"#<Thread:0x33234838
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:09:38,059][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline Java execution initialization time {"seconds"=>0.08}
[2024-02-25T03:09:38,071][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline started {"pipeline.id"=>"azure_waf_access"}
[2024-02-25T03:09:38,078][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is initializing...
[2024-02-25T03:09:38,079][WARN ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] You have NOT
specified a `storage_connection_string` for insights-logs-
applicationgatewayaccesslog. This configuration is only supported for a single
Logstash instance.
[2024-02-25T03:09:38,079][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: New EventProcessorHost created.
[2024-02-25T03:09:38,095][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is initializing...
[2024-02-25T03:09:38,095][WARN ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] You have NOT
specified a `storage_connection_string` for insights-logs-
applicationgatewayaccesslog. This configuration is only supported for a single
Logstash instance.
[2024-02-25T03:09:38,095][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: New EventProcessorHost created.
[2024-02-25T03:09:38,101][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Configuring
Event Hub insights-logs-applicationgatewayaccesslog to read only new events.
[2024-02-25T03:09:38,107][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Configuring
Event Hub insights-logs-applicationgatewayaccesslog to read only new events.
[2024-02-25T03:09:38,115][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Starting event processing.
[2024-02-25T03:09:38,116][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Starting event processing.
[2024-02-25T03:09:38,132][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_e7a2ce_1708830578115], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:09:38,133][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_e7a2ce_1708830578115] reactor.onReactorInit
[2024-02-25T03:09:38,133][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_e7a2ce_1708830578115]
[2024-02-25T03:09:38,133][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_e7a2ce_1708830578115], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,135][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_e3cb0c_1708830578116], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:09:38,136][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_e3cb0c_1708830578116] reactor.onReactorInit
[2024-02-25T03:09:38,136][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_e3cb0c_1708830578116]
[2024-02-25T03:09:38,136][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_e3cb0c_1708830578116], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,136][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_e3cb0c_1708830578116]
[2024-02-25T03:09:38,149][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_e7a2ce_1708830578115]
[2024-02-25T03:09:38,337][INFO ][logstash.agent ] Pipelines running
{:count=>6, :running_pipelines=>[:cucm, :yhq_cisco_asav_azure, :PA_FactoryPA_Threat
Intel, :zscaler, :ad, :azure_waf_access], :non_running_pipelines=>[]}
[2024-02-25T03:09:38,367][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_e3cb0c_1708830578116],
remoteContainer[0dee7b6fd199487aaf6cf57bcbf9a09c_G22]
[2024-02-25T03:09:38,368][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_e7a2ce_1708830578115],
remoteContainer[39ce30c621da453087261e8931457ffa_G13]
[2024-02-25T03:09:38,368][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_e7a2ce_1708830578115], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:09:38,368][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_e7a2ce_1708830578115], entityName[mgmt-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:09:38,377][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_e3cb0c_1708830578116], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:09:38,378][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_e3cb0c_1708830578116], entityName[mgmt-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:09:38,385][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[mgmt], linkName[mgmt:sender], localTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:09:38,385][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[mgmt], linkName[mgmt:receiver],
localSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,388][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[mgmt], linkName[mgmt:sender], localTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:09:38,395][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[mgmt], linkName[mgmt:receiver],
localSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,461][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_e3cb0c_1708830578116], entityName[mgmt-
session], sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:09:38,462][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[mgmt], linkName[mgmt:sender], remoteTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:09:38,462][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[mgmt], linkName[mgmt:receiver],
remoteSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,461][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_e7a2ce_1708830578115], entityName[mgmt-
session], sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:09:38,462][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[mgmt], linkName[mgmt:sender], remoteTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:09:38,462][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[mgmt], linkName[mgmt:receiver],
remoteSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,462][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_e3cb0c_1708830578116],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:09:38,462][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_e7a2ce_1708830578115],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:09:38,485][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Eventhub insights-logs-
applicationgatewayaccesslog count of partitions: 4
[2024-02-25T03:09:38,485][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Found partition with id: 0
[2024-02-25T03:09:38,485][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Found partition with id: 1
[2024-02-25T03:09:38,485][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Found partition with id: 2
[2024-02-25T03:09:38,485][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Found partition with id: 3
[2024-02-25T03:09:38,485][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Eventhub insights-logs-
applicationgatewayaccesslog count of partitions: 4
[2024-02-25T03:09:38,486][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Found partition with id: 0
[2024-02-25T03:09:38,486][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Found partition with id: 1
[2024-02-25T03:09:38,486][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Found partition with id: 2
[2024-02-25T03:09:38,486][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Found partition with id: 3
[2024-02-25T03:09:38,486][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_eff09e_1708830578115]
[2024-02-25T03:09:38,486][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_e7a2ce_1708830578115]
[2024-02-25T03:09:38,486][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_5ded27_1708830578116]
[2024-02-25T03:09:38,486][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_e3cb0c_1708830578116]
[2024-02-25T03:09:38,491][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_e7a2ce_1708830578115], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,498][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,498][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,498][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,498][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[mgmt-session],
entityName[MF_e7a2ce_1708830578115], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:09:38,494][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
registration complete. {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:09:38,498][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub is
processing events... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:09:38,494][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: creating new pump
[2024-02-25T03:09:38,499][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: Creating and opening event processor
instance
[2024-02-25T03:09:38,494][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: creating new pump
[2024-02-25T03:09:38,499][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: Creating and opening event processor
instance
[2024-02-25T03:09:38,493][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_e3cb0c_1708830578116], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,500][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,500][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,500][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,500][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[mgmt-session],
entityName[MF_e3cb0c_1708830578116], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:09:38,493][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
registration complete. {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:09:38,500][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub is
processing events... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:09:38,501][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,501][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,501][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,501][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,501][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_e3cb0c_1708830578116],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:09:38,512][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_e3cb0c_1708830578116], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[mgmtChannel closed]
[2024-02-25T03:09:38,512][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_e3cb0c_1708830578116],
errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,512][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_e3cb0c_1708830578116], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:09:38,512][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_e3cb0c_1708830578116], error[n/a]
[2024-02-25T03:09:38,512][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_e3cb0c_1708830578116], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:09:38,512][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_e3cb0c_1708830578116], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:09:38,512][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_e3cb0c_1708830578116], entityName[mgmt-session], condition[null],
description[null]
[2024-02-25T03:09:38,512][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_e3cb0c_1708830578116], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,512][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_e3cb0c_1708830578116], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:09:38,513][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is opening.
[2024-02-25T03:09:38,513][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: Opening EH client
[2024-02-25T03:09:38,513][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is opening.
[2024-02-25T03:09:38,513][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: Opening EH client
[2024-02-25T03:09:38,513][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_bc4c67_1708830578513], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:09:38,513][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_bc4c67_1708830578513] reactor.onReactorInit
[2024-02-25T03:09:38,513][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_bc4c67_1708830578513]
[2024-02-25T03:09:38,513][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_faffe8_1708830578513], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:09:38,513][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_bc4c67_1708830578513], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,514][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_faffe8_1708830578513] reactor.onReactorInit
[2024-02-25T03:09:38,514][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_faffe8_1708830578513]
[2024-02-25T03:09:38,514][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_faffe8_1708830578513], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,514][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_bc4c67_1708830578513]
[2024-02-25T03:09:38,514][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_faffe8_1708830578513]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_e7a2ce_1708830578115],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_e7a2ce_1708830578115], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[mgmtChannel closed]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_e7a2ce_1708830578115],
errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,521][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_e7a2ce_1708830578115], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_e7a2ce_1708830578115], error[n/a]
[2024-02-25T03:09:38,521][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_e7a2ce_1708830578115], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:09:38,522][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_e7a2ce_1708830578115], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:09:38,522][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_e7a2ce_1708830578115], entityName[mgmt-session], condition[null],
description[null]
[2024-02-25T03:09:38,522][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_e7a2ce_1708830578115], errorCondition[null], errorDescription[null]
[2024-02-25T03:09:38,522][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_e7a2ce_1708830578115], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:09:38,604][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_faffe8_1708830578513],
remoteContainer[2635ff2b72224bf3a5d013237fd6ff08_G31]
[2024-02-25T03:09:38,609][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: Retrieved starting offset
1537600179320//1261884
[2024-02-25T03:09:38,609][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: Opening EH receiver with epoch 0 at
location offset[1537600179320], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:09:38,615][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:09:38,615][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_faffe8_1708830578513], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:09:38,615][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_faffe8_1708830578513], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:09:38,615][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:09:38,615][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,634][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_faffe8_1708830578513], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:09:38,634][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:09:38,634][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,635][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_faffe8_1708830578513],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:09:38,645][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_faffe8_1708830578513], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:09:38,645][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_faffe8_1708830578513], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:09:38,655][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_faffe8_1708830578513], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:09:38,655][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[1537600179320],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:09:38,655][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver],
linkName[LN_f6193b_1708830578655_f08_G31], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '1537600179320'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,664][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver],
linkName[LN_f6193b_1708830578655_f08_G31], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@4f14118
8}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,665][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], linkName[LN_f6193b_1708830578655_f08_G31], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:09:38,665][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: EH client and receiver creation finished
[2024-02-25T03:09:38,702][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_bc4c67_1708830578513],
remoteContainer[5524d93dbdef4c24a035bd29c242dc7f_G9]
[2024-02-25T03:09:38,702][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: Retrieved starting offset
6725932941216//1542094
[2024-02-25T03:09:38,703][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: Opening EH receiver with epoch 0 at
location offset[6725932941216], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:09:38,703][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:09:38,703][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_bc4c67_1708830578513], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:09:38,703][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_bc4c67_1708830578513], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:09:38,703][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:09:38,703][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,705][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_bc4c67_1708830578513], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:09:38,705][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:09:38,705][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,711][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_bc4c67_1708830578513],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:09:38,714][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_bc4c67_1708830578513], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:09:38,714][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_bc4c67_1708830578513], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:09:38,716][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_bc4c67_1708830578513], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:09:38,720][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[6725932941216],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:09:38,720][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver],
linkName[LN_32f5a3_1708830578720_dc7f_G9], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '6725932941216'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,726][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver],
linkName[LN_32f5a3_1708830578720_dc7f_G9], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@60a9ec2
4}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:09:38,726][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], linkName[LN_32f5a3_1708830578720_dc7f_G9], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:09:38,726][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: EH client and receiver creation finished
[2024-02-25T03:10:08,500][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: creating new pump
[2024-02-25T03:10:08,500][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: Creating and opening event processor
instance
[2024-02-25T03:10:08,502][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is opening.
[2024-02-25T03:10:08,502][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: Opening EH client
[2024-02-25T03:10:08,503][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_60679a_1708830608503], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:10:08,503][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_60679a_1708830608503] reactor.onReactorInit
[2024-02-25T03:10:08,503][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_60679a_1708830608503]
[2024-02-25T03:10:08,503][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_60679a_1708830608503], errorCondition[null], errorDescription[null]
[2024-02-25T03:10:08,504][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_60679a_1708830608503]
[2024-02-25T03:10:08,500][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: creating new pump
[2024-02-25T03:10:08,505][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: Creating and opening event processor
instance
[2024-02-25T03:10:08,510][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is opening.
[2024-02-25T03:10:08,510][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: Opening EH client
[2024-02-25T03:10:08,510][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_470d4b_1708830608510], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:10:08,510][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_470d4b_1708830608510] reactor.onReactorInit
[2024-02-25T03:10:08,510][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_470d4b_1708830608510]
[2024-02-25T03:10:08,510][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_470d4b_1708830608510], errorCondition[null], errorDescription[null]
[2024-02-25T03:10:08,511][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_470d4b_1708830608510]
[2024-02-25T03:10:08,554][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_470d4b_1708830608510],
remoteContainer[9903b5cd1588437bac195ce2a46989b1_G11]
[2024-02-25T03:10:08,563][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: Retrieved starting offset
1533306699224//1261759
[2024-02-25T03:10:08,563][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_60679a_1708830608503],
remoteContainer[72f450b5e0ac45b49a62ce277a8c1c7c_G20]
[2024-02-25T03:10:08,563][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: Opening EH receiver with epoch 0 at
location offset[1533306699224], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:10:08,563][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: Retrieved starting offset
6725944421856//1542328
[2024-02-25T03:10:08,563][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: Opening EH receiver with epoch 0 at
location offset[6725944421856], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:10:08,563][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:10:08,563][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_470d4b_1708830608510], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:10:08,563][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_470d4b_1708830608510], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:10:08,564][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:10:08,564][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:10:08,564][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:10:08,564][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_60679a_1708830608503], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:10:08,564][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_60679a_1708830608503], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:10:08,564][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:10:08,564][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:10:08,573][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_470d4b_1708830608510], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:10:08,573][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:10:08,573][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:10:08,573][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_470d4b_1708830608510],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:10:08,575][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_60679a_1708830608503], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:10:08,575][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:10:08,575][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:10:08,575][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_60679a_1708830608503],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:10:08,575][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_470d4b_1708830608510], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:10:08,576][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_470d4b_1708830608510], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:10:08,583][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_60679a_1708830608503], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:10:08,583][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_60679a_1708830608503], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:10:08,583][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_470d4b_1708830608510], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:10:08,583][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[1533306699224],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:10:08,583][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver],
linkName[LN_57bdd2_1708830608583_9b1_G11], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '1533306699224'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:10:08,585][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_60679a_1708830608503], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:10:08,585][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[6725944421856],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:10:08,585][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver],
linkName[LN_219140_1708830608585_c7c_G20], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '6725944421856'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:10:08,593][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver],
linkName[LN_57bdd2_1708830608583_9b1_G11], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@4adf80b
2}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:10:08,593][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], linkName[LN_57bdd2_1708830608583_9b1_G11], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:10:08,593][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver],
linkName[LN_219140_1708830608585_c7c_G20], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@3781d8c
d}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:10:08,593][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], linkName[LN_219140_1708830608585_c7c_G20], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:10:08,599][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: EH client and receiver creation finished
[2024-02-25T03:10:08,600][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: EH client and receiver creation finished
[2024-02-25T03:16:24,913][WARN ][logstash.codecs.plain ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] Received an
event that has a different character encoding than you configured. {:text=>"Feb 25
03:07:52 bot001-0z0149.jp.ykgw.net \\\"Sun Feb 25 12:07:21
2024\\\",\\\"takuya.yokosuka@yokogawa.com\\\",\\\"HTTPS\\\",\\\"manager.snar.jp/
contents/applicantdetail/download_dssreport.aspx?
StepNo=442&OBSID=00019496\\\",\\\"Allowed\\\",\\\"General Browsing\\\",\\\"General
Browsing\\\",\\\"1307\\\",\\\"120587\\\",\\\"2865\\\",\\\"2948\\\",\\\"Business
Use\\\",\\\"Business and Economy\\\",\\\"Professional
Services\\\",\\\"None\\\",\\\"None\\\",\\\"0\\\",\\\"None\\\",\\\"None\\\",\\\"Road
Warrior\\\",\\\"D-Sol HQ SDC Systems Software R&D Dept. Tech. Sec.
1\\\",\\\"192.168.1.8\\\",\\\"13.107.246.46\\\",\\\"GET\\\",\\\"200\\\",\\\"Mozilla
/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/122.0.0.0 Safari/537.36
Edg/122.0.0.0\\\",\\\"manager.snar.jp/v2/tablet/inputevaluation\\\",\\\"None\\\",\\
\"None\\\",\\\"application/
pdf\\\",\\\"None\\\",\\\"00112345\\\",\\\"CPCpxU7HlLYE0ca\\\",\\\"None\\\",\\\"Othe
r Documents\\\",\\\"Portable Document Format (pdf)\\\",\\\"pdf\\\",\\\"DSS\\x83\\
x8C\\x83|\\x81[\\
x83g_00019496.pdf\\\",\\\"133.200.220.0\\\",\\\"None\\\",\\\"None\\\",\\\"None\\\",
\\\"Allowed\\\"", :expected_charset=>"UTF-8"}
[2024-02-25T03:16:57,224][WARN ][logstash.runner ] SIGTERM received.
Shutting down.
[2024-02-25T03:16:57,667][INFO ][filewatch.observingtail ] QUIT - closing all
files and shutting down.
[2024-02-25T03:16:57,685][INFO ][filewatch.observingtail ] QUIT - closing all
files and shutting down.
[2024-02-25T03:16:57,786][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Unregistering
Event Hub this can take a while... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:16:57,786][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Stopping event processing
[2024-02-25T03:16:57,786][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Shutting down all pumps
[2024-02-25T03:16:57,786][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: closing pump for reason Shutdown
[2024-02-25T03:16:57,786][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: pump shutdown for reason Shutdown
[2024-02-25T03:16:57,786][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: closing pump for reason Shutdown
[2024-02-25T03:16:57,786][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: pump shutdown for reason Shutdown
[2024-02-25T03:16:57,786][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: Setting receive handler to null
[2024-02-25T03:16:57,789][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: Setting receive handler to null
[2024-02-25T03:16:57,825][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Unregistering
Event Hub this can take a while... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:16:57,825][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Stopping event processing
[2024-02-25T03:16:57,825][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Shutting down all pumps
[2024-02-25T03:16:57,825][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: closing pump for reason Shutdown
[2024-02-25T03:16:57,825][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: pump shutdown for reason Shutdown
[2024-02-25T03:16:57,825][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: closing pump for reason Shutdown
[2024-02-25T03:16:57,825][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: pump shutdown for reason Shutdown
[2024-02-25T03:16:57,825][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: Setting receive handler to null
[2024-02-25T03:16:57,825][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: Setting receive handler to null
[2024-02-25T03:16:58,726][INFO ][logstash.javapipeline ][cucm] Pipeline
terminated {"pipeline.id"=>"cucm"}
[2024-02-25T03:16:59,352][INFO ][logstash.javapipeline ][yhq_cisco_asav_azure]
Pipeline terminated {"pipeline.id"=>"yhq_cisco_asav_azure"}
[2024-02-25T03:16:59,798][INFO ][logstash.pipelinesregistry] Removed pipeline from
registry successfully {:pipeline_id=>:cucm}
[2024-02-25T03:16:59,815][INFO ][logstash.pipelinesregistry] Removed pipeline from
registry successfully {:pipeline_id=>:yhq_cisco_asav_azure}
[2024-02-25T03:17:00,408][INFO ][logstash.javapipeline ][ad] Pipeline terminated
{"pipeline.id"=>"ad"}
[2024-02-25T03:17:00,841][INFO ][logstash.pipelinesregistry] Removed pipeline from
registry successfully {:pipeline_id=>:ad}
[2024-02-25T03:17:01,087][INFO ][logstash.javapipeline ]
[PA_FactoryPA_ThreatIntel] Pipeline terminated
{"pipeline.id"=>"PA_FactoryPA_ThreatIntel"}
[2024-02-25T03:17:01,660][INFO ][logstash.pipelinesregistry] Removed pipeline from
registry successfully {:pipeline_id=>:PA_FactoryPA_ThreatIntel}
[2024-02-25T03:17:02,599][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:02,599][ERROR][org.logstash.execution.ShutdownWatcherExt] The
shutdown process appears to be stalled due to busy or blocked plugins. Check the
logs for more information.
[2024-02-25T03:17:02,688][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (0) as per the request.
[2024-02-25T03:17:02,688][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: Closing EH receiver
[2024-02-25T03:17:02,688][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_270293_1708830608563_MF_470d4b_1708830608510]
[2024-02-25T03:17:02,688][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver]
[2024-02-25T03:17:02,688][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:17:02,688][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver],
linkName[LN_57bdd2_1708830608583_9b1_G11], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:02,688][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver],
linkName[LN_57bdd2_1708830608583_9b1_G11], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:02,689][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_470d4b_1708830608510], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:17:02,690][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_270293_1708830608563_MF_470d4b_1708830608510-
InternalReceiver], linkName[LN_57bdd2_1708830608583_9b1_G11], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:02,690][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_270293_1708830608563_MF_470d4b_1708830608510-InternalReceiver],
linkName[LN_57bdd2_1708830608583_9b1_G11], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:02,690][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_470d4b_1708830608510], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:17:02,690][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 0: Closing EH client
[2024-02-25T03:17:02,690][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_0000d9_1708830608510]
[2024-02-25T03:17:02,690][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_470d4b_1708830608510]
[2024-02-25T03:17:02,690][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_470d4b_1708830608510], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:02,690][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:02,690][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:02,690][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:02,690][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_470d4b_1708830608510],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:17:02,691][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:02,691][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:02,691][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:02,691][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:02,691][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_470d4b_1708830608510],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:17:02,691][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_470d4b_1708830608510], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:17:02,694][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_470d4b_1708830608510],
errorCondition[null], errorDescription[null]
[2024-02-25T03:17:02,694][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_470d4b_1708830608510], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:17:02,694][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_470d4b_1708830608510], error[n/a]
[2024-02-25T03:17:02,694][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_470d4b_1708830608510], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:17:02,694][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_470d4b_1708830608510], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:17:02,694][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_470d4b_1708830608510], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:17:02,694][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_470d4b_1708830608510], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0], condition[null],
description[null]
[2024-02-25T03:17:02,694][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_470d4b_1708830608510], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:02,694][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_470d4b_1708830608510], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:17:02,695][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is closing.
(reason=Shutdown)
[2024-02-25T03:17:07,668][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:12,823][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:17,866][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:21,170][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (1) as per the request.
[2024-02-25T03:17:21,170][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: Closing EH receiver
[2024-02-25T03:17:21,170][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_c090c4_1708830578703_MF_bc4c67_1708830578513]
[2024-02-25T03:17:21,170][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver]
[2024-02-25T03:17:21,170][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:17:21,170][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver],
linkName[LN_32f5a3_1708830578720_dc7f_G9], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:21,170][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver],
linkName[LN_32f5a3_1708830578720_dc7f_G9], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:21,170][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], entityName[MF_bc4c67_1708830578513], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:17:21,172][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-
InternalReceiver], linkName[LN_32f5a3_1708830578720_dc7f_G9], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:21,172][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_c090c4_1708830578703_MF_bc4c67_1708830578513-InternalReceiver],
linkName[LN_32f5a3_1708830578720_dc7f_G9], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:21,172][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], entityName[MF_bc4c67_1708830578513], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:17:21,173][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 1: Closing EH client
[2024-02-25T03:17:21,173][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_f52706_1708830578513]
[2024-02-25T03:17:21,173][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_bc4c67_1708830578513]
[2024-02-25T03:17:21,173][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_bc4c67_1708830578513], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:21,173][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:21,173][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:21,173][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:21,173][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_bc4c67_1708830578513],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:17:21,175][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:21,175][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:21,175][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:21,175][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:21,175][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_bc4c67_1708830578513],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:17:21,175][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_bc4c67_1708830578513], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:17:21,179][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_bc4c67_1708830578513],
errorCondition[null], errorDescription[null]
[2024-02-25T03:17:21,179][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_bc4c67_1708830578513], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:17:21,179][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_bc4c67_1708830578513], error[n/a]
[2024-02-25T03:17:21,179][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_bc4c67_1708830578513], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:17:21,179][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_bc4c67_1708830578513], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:17:21,179][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_bc4c67_1708830578513], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:17:21,179][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_bc4c67_1708830578513], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1], condition[null],
description[null]
[2024-02-25T03:17:21,179][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_bc4c67_1708830578513], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:21,179][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_bc4c67_1708830578513], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:17:21,179][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is closing.
(reason=Shutdown)
[2024-02-25T03:17:22,935][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:28,005][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:33,107][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:38,229][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:39,809][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (3) as per the request.
[2024-02-25T03:17:39,809][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: Closing EH receiver
[2024-02-25T03:17:39,809][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_000155_1708830608563_MF_60679a_1708830608503]
[2024-02-25T03:17:39,809][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver]
[2024-02-25T03:17:39,809][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:17:39,809][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver],
linkName[LN_219140_1708830608585_c7c_G20], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:39,809][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver],
linkName[LN_219140_1708830608585_c7c_G20], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:39,809][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], entityName[MF_60679a_1708830608503], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:17:39,812][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_000155_1708830608563_MF_60679a_1708830608503-
InternalReceiver], linkName[LN_219140_1708830608585_c7c_G20], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:39,812][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_000155_1708830608563_MF_60679a_1708830608503-InternalReceiver],
linkName[LN_219140_1708830608585_c7c_G20], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:39,812][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], entityName[MF_60679a_1708830608503], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:17:39,813][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: 3: Closing EH client
[2024-02-25T03:17:39,813][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_39019d_1708830608503]
[2024-02-25T03:17:39,813][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_60679a_1708830608503]
[2024-02-25T03:17:39,813][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_60679a_1708830608503], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:39,813][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:39,813][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:39,813][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:39,813][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_60679a_1708830608503],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_60679a_1708830608503],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_60679a_1708830608503], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_60679a_1708830608503],
errorCondition[null], errorDescription[null]
[2024-02-25T03:17:39,821][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_60679a_1708830608503], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_60679a_1708830608503], error[n/a]
[2024-02-25T03:17:39,821][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_60679a_1708830608503], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:17:39,822][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_60679a_1708830608503], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:17:39,822][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_60679a_1708830608503], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:17:39,822][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_60679a_1708830608503], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3], condition[null],
description[null]
[2024-02-25T03:17:39,822][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_60679a_1708830608503], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:39,822][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_60679a_1708830608503], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:17:39,822][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is closing.
(reason=Shutdown)
[2024-02-25T03:17:39,828][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c8386931-7f84-402c-9b97-39e89a255cba: Partition manager exiting
[2024-02-25T03:17:39,829][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is closed.
[2024-02-25T03:17:43,287][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>343,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>338, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>342, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:17:44,142][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (2) as per the request.
[2024-02-25T03:17:44,142][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: Closing EH receiver
[2024-02-25T03:17:44,142][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_35474c_1708830578609_MF_faffe8_1708830578513]
[2024-02-25T03:17:44,142][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver]
[2024-02-25T03:17:44,142][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:17:44,143][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver],
linkName[LN_f6193b_1708830578655_f08_G31], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:44,143][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver],
linkName[LN_f6193b_1708830578655_f08_G31], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:44,143][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], entityName[MF_faffe8_1708830578513], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:17:44,152][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_35474c_1708830578609_MF_faffe8_1708830578513-
InternalReceiver], linkName[LN_f6193b_1708830578655_f08_G31], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:44,152][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_35474c_1708830578609_MF_faffe8_1708830578513-InternalReceiver],
linkName[LN_f6193b_1708830578655_f08_G31], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:44,153][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], entityName[MF_faffe8_1708830578513], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:17:44,153][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: 2: Closing EH client
[2024-02-25T03:17:44,153][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_fd73a0_1708830578513]
[2024-02-25T03:17:44,153][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_faffe8_1708830578513]
[2024-02-25T03:17:44,153][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_faffe8_1708830578513], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:44,153][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:44,153][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:44,153][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:44,154][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_faffe8_1708830578513],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:17:44,161][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:44,161][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:44,161][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:44,161][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:17:44,161][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_faffe8_1708830578513],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:17:44,161][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_faffe8_1708830578513], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:17:44,162][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_faffe8_1708830578513],
errorCondition[null], errorDescription[null]
[2024-02-25T03:17:44,162][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_faffe8_1708830578513], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:17:44,163][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_faffe8_1708830578513], error[n/a]
[2024-02-25T03:17:44,163][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_faffe8_1708830578513], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:17:44,163][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_faffe8_1708830578513], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:17:44,172][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_faffe8_1708830578513], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:17:44,172][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_faffe8_1708830578513], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2], condition[null],
description[null]
[2024-02-25T03:17:44,172][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_faffe8_1708830578513], errorCondition[null], errorDescription[null]
[2024-02-25T03:17:44,172][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_faffe8_1708830578513], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:17:44,172][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is closing.
(reason=Shutdown)
[2024-02-25T03:17:44,172][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
116012d1-165a-4d71-b8a7-935f5f8dd0b5: Partition manager exiting
[2024-02-25T03:17:44,172][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is closed.
[2024-02-25T03:17:44,558][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline terminated {"pipeline.id"=>"azure_waf_access"}
[2024-02-25T03:17:45,316][INFO ][logstash.pipelinesregistry] Removed pipeline from
registry successfully {:pipeline_id=>:azure_waf_access}
[2024-02-25T03:28:29,934][INFO ][logstash.runner ] Log4j configuration
path used is: /etc/logstash/log4j2.properties
[2024-02-25T03:28:29,980][INFO ][logstash.runner ] Starting Logstash
{"logstash.version"=>"8.11.4", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02
1abae2700f OpenJDK 64-Bit Server VM 17.0.9+9 on 17.0.9+9 +indy +jit [x86_64-
linux]"}
[2024-02-25T03:28:29,997][INFO ][logstash.runner ] JVM bootstrap flags: [-
Xms4g, -Xmx4g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -
Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -
Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -
Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true,
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-
UNNAMED, -Djdk.io.File.enableADS=true,
--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED,
--add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-
UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-
opens=java.base/sun.nio.ch=ALL-UNNAMED,
--add-opens=java.management/sun.management=ALL-UNNAMED]
[2024-02-25T03:28:34,008][INFO ][logstash.agent ] Successfully started
Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2024-02-25T03:28:35,752][INFO ][org.reflections.Reflections] Reflections took 263
ms to scan 1 urls, producing 131 keys and 463 values
[2024-02-25T03:28:37,335][INFO ][logstash.javapipeline ] Pipeline
`azure_waf_access` is configured with `pipeline.ecs_compatibility: v8` setting. All
plugins in this pipeline will default to `ecs_compatibility => v8` unless
explicitly configured otherwise.
[2024-02-25T03:28:37,499][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
New Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:28:38,277][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Elasticsearch pool URLs updated {:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:28:39,180][WARN ][logstash.outputs.elasticsearch][azure_waf_access]
Restored connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:28:39,193][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Elasticsearch version determined (8.10.3) {:es_version=>8}
[2024-02-25T03:28:39,202][WARN ][logstash.outputs.elasticsearch][azure_waf_access]
Detected a 6.x and above cluster: the `type` event field won't be used to determine
the document _type {:es_version=>8}
[2024-02-25T03:28:39,312][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Not eligible for data streams because config contains one or more settings that are
not compatible with data streams: {"ilm_enabled"=>"true",
"ilm_rollover_alias"=>"yokogawa-azure-waf", "ilm_policy"=>"yokogawa-ilm-policy",
"ilm_pattern"=>"000001"}
[2024-02-25T03:28:39,325][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Data streams auto configuration (`data_stream => auto` or unset) resolved to
`false`
[2024-02-25T03:28:39,375][INFO ][logstash.filters.json ][azure_waf_access] ECS
compatibility is enabled but `target` option was not specified. This may cause
fields to be set at the top-level of the event where they are likely to clash with
the Elastic Common Schema. It is recommended to set the `target` option to avoid
potential schema conflicts (if your data is ECS compliant or non-conflicting, feel
free to ignore this message)
[2024-02-25T03:28:39,393][WARN ][logstash.filters.geoip ][azure_waf_access] ECS
expect `target` value `geoip` in ["client", "destination", "host", "observer",
"server", "source"]
[2024-02-25T03:28:39,626][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:28:40,941][INFO ][logstash.filters.geoip.downloadmanager] new
database version detected? true
[2024-02-25T03:28:51,286][INFO ][logstash.filters.geoip.databasemanager]
/var/lib/logstash/plugins/filters/geoip/1708740948 is deleted
[2024-02-25T03:28:51,318][INFO ][logstash.filters.geoip.databasemanager]
[azure_waf_access] By not manually configuring a database path with `database =>`,
you accepted and agreed MaxMind EULA. For more details please visit
https://www.maxmind.com/en/geolite2/eula
[2024-02-25T03:28:51,327][INFO ][logstash.filters.geoip ][azure_waf_access] Using
geoip database
{:path=>"/var/lib/logstash/plugins/filters/geoip/1708831720/GeoLite2-City.mmdb"}
[2024-02-25T03:28:51,359][WARN ][logstash.javapipeline ][azure_waf_access]
'pipeline.ordered' is enabled and is likely less efficient, consider disabling if
preserving event order is not necessary
[2024-02-25T03:28:51,506][INFO ][logstash.javapipeline ][azure_waf_access]
Starting pipeline {:pipeline_id=>"azure_waf_access", "pipeline.workers"=>1,
"pipeline.batch.size"=>125, "pipeline.batch.delay"=>50,
"pipeline.max_inflight"=>125, "pipeline.sources"=>["/etc/logstash/conf.d/yhq-
azurewaf-accesslog.conf"], :thread=>"#<Thread:0x5ae14ca0
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:28:53,132][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline Java execution initialization time {"seconds"=>1.62}
[2024-02-25T03:28:53,174][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline started {"pipeline.id"=>"azure_waf_access"}
[2024-02-25T03:28:53,234][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is initializing...
[2024-02-25T03:28:53,235][WARN ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] You have NOT
specified a `storage_connection_string` for insights-logs-
applicationgatewayaccesslog. This configuration is only supported for a single
Logstash instance.
[2024-02-25T03:28:53,254][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: New EventProcessorHost created.
[2024-02-25T03:28:53,266][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is initializing...
[2024-02-25T03:28:53,274][WARN ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] You have NOT
specified a `storage_connection_string` for insights-logs-
applicationgatewayaccesslog. This configuration is only supported for a single
Logstash instance.
[2024-02-25T03:28:53,275][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: New EventProcessorHost created.
[2024-02-25T03:28:53,285][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Configuring
Event Hub insights-logs-applicationgatewayaccesslog to read only new events.
[2024-02-25T03:28:53,296][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Configuring
Event Hub insights-logs-applicationgatewayaccesslog to read only new events.
[2024-02-25T03:28:53,306][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Starting event processing.
[2024-02-25T03:28:53,317][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Starting event processing.
[2024-02-25T03:28:53,347][INFO ][logstash.agent ] Pipelines running
{:count=>1, :running_pipelines=>[:azure_waf_access], :non_running_pipelines=>[]}
[2024-02-25T03:28:53,408][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_922878_1708831733355], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:28:53,418][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_922878_1708831733355] reactor.onReactorInit
[2024-02-25T03:28:53,436][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_922878_1708831733355]
[2024-02-25T03:28:53,437][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_922878_1708831733355], errorCondition[null], errorDescription[null]
[2024-02-25T03:28:53,457][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_4468b6_1708831733355], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:28:53,458][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_4468b6_1708831733355] reactor.onReactorInit
[2024-02-25T03:28:53,459][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_4468b6_1708831733355]
[2024-02-25T03:28:53,459][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4468b6_1708831733355], errorCondition[null], errorDescription[null]
[2024-02-25T03:28:53,768][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_922878_1708831733355]
[2024-02-25T03:28:53,761][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_4468b6_1708831733355]
[2024-02-25T03:28:54,332][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_922878_1708831733355],
remoteContainer[ae6edd6b04964a91871b87029353311c_G35]
[2024-02-25T03:28:54,341][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4468b6_1708831733355],
remoteContainer[3538939dc8d84a0db7fc62b0badb4713_G26]
[2024-02-25T03:28:54,374][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_4468b6_1708831733355], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:28:54,383][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_922878_1708831733355], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:28:54,411][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_922878_1708831733355], entityName[mgmt-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:28:54,412][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_4468b6_1708831733355], entityName[mgmt-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:28:54,423][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[mgmt], linkName[mgmt:sender], localTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:28:54,431][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[mgmt], linkName[mgmt:sender], localTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:28:54,431][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[mgmt], linkName[mgmt:receiver],
localSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:54,424][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[mgmt], linkName[mgmt:receiver],
localSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:54,434][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_4468b6_1708831733355], entityName[mgmt-
session], sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:28:54,442][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[mgmt], linkName[mgmt:sender], remoteTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:28:54,443][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[mgmt], linkName[mgmt:receiver],
remoteSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:54,444][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_922878_1708831733355], entityName[mgmt-
session], sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:28:54,444][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[mgmt], linkName[mgmt:sender], remoteTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:28:54,444][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[mgmt], linkName[mgmt:receiver],
remoteSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:54,463][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_4468b6_1708831733355],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:28:54,466][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_922878_1708831733355],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:28:54,482][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Eventhub insights-logs-
applicationgatewayaccesslog count of partitions: 4
[2024-02-25T03:28:54,483][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Found partition with id: 0
[2024-02-25T03:28:54,483][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Found partition with id: 1
[2024-02-25T03:28:54,483][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Found partition with id: 2
[2024-02-25T03:28:54,483][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Found partition with id: 3
[2024-02-25T03:28:54,483][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_3eb249_1708831733328]
[2024-02-25T03:28:54,483][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_922878_1708831733355]
[2024-02-25T03:28:54,482][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Eventhub insights-logs-
applicationgatewayaccesslog count of partitions: 4
[2024-02-25T03:28:54,484][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Found partition with id: 0
[2024-02-25T03:28:54,484][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Found partition with id: 1
[2024-02-25T03:28:54,484][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Found partition with id: 2
[2024-02-25T03:28:54,484][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Found partition with id: 3
[2024-02-25T03:28:54,493][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_0e0ca8_1708831733327]
[2024-02-25T03:28:54,494][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_4468b6_1708831733355]
[2024-02-25T03:28:54,506][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
registration complete. {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:28:54,507][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub is
processing events... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:28:54,521][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4468b6_1708831733355], errorCondition[null], errorDescription[null]
[2024-02-25T03:28:54,522][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_922878_1708831733355], errorCondition[null], errorDescription[null]
[2024-02-25T03:28:54,523][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,523][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,523][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,523][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[mgmt-session],
entityName[MF_922878_1708831733355], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:28:54,533][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,534][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,535][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,535][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,535][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,543][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,544][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_922878_1708831733355],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:28:54,544][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_922878_1708831733355], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[mgmtChannel closed]
[2024-02-25T03:28:54,553][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_922878_1708831733355],
errorCondition[null], errorDescription[null]
[2024-02-25T03:28:54,553][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_922878_1708831733355], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:28:54,554][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
registration complete. {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:28:54,562][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub is
processing events... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:28:54,554][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_922878_1708831733355], error[n/a]
[2024-02-25T03:28:54,564][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_922878_1708831733355], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:28:54,565][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_922878_1708831733355], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:28:54,566][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_922878_1708831733355], entityName[mgmt-session], condition[null],
description[null]
[2024-02-25T03:28:54,574][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_922878_1708831733355], errorCondition[null], errorDescription[null]
[2024-02-25T03:28:54,574][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_922878_1708831733355], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:28:54,571][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: creating new pump
[2024-02-25T03:28:54,555][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,566][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: creating new pump
[2024-02-25T03:28:54,583][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[mgmt-session],
entityName[MF_4468b6_1708831733355], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:28:54,585][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,585][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,585][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,586][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:28:54,586][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_4468b6_1708831733355],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:28:54,586][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_4468b6_1708831733355], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[mgmtChannel closed]
[2024-02-25T03:28:54,586][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_4468b6_1708831733355],
errorCondition[null], errorDescription[null]
[2024-02-25T03:28:54,586][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_4468b6_1708831733355], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:28:54,586][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4468b6_1708831733355], error[n/a]
[2024-02-25T03:28:54,586][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_4468b6_1708831733355], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:28:54,586][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4468b6_1708831733355], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:28:54,587][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_4468b6_1708831733355], entityName[mgmt-session], condition[null],
description[null]
[2024-02-25T03:28:54,591][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_4468b6_1708831733355], errorCondition[null], errorDescription[null]
[2024-02-25T03:28:54,591][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_4468b6_1708831733355], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:28:54,593][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: Creating and opening event processor
instance
[2024-02-25T03:28:54,695][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: Creating and opening event processor
instance
[2024-02-25T03:28:54,777][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is opening.
[2024-02-25T03:28:54,777][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: Opening EH client
[2024-02-25T03:28:54,777][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is opening.
[2024-02-25T03:28:54,784][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: Opening EH client
[2024-02-25T03:28:54,785][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba6c2b_1708831734785], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:28:54,786][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_ba6c2b_1708831734785] reactor.onReactorInit
[2024-02-25T03:28:54,786][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba4833_1708831734785], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:28:54,786][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_ba4833_1708831734785] reactor.onReactorInit
[2024-02-25T03:28:54,786][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_ba4833_1708831734785]
[2024-02-25T03:28:54,786][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_ba4833_1708831734785], errorCondition[null], errorDescription[null]
[2024-02-25T03:28:54,787][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_ba4833_1708831734785]
[2024-02-25T03:28:54,786][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_ba6c2b_1708831734785]
[2024-02-25T03:28:54,797][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_ba6c2b_1708831734785], errorCondition[null], errorDescription[null]
[2024-02-25T03:28:54,804][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_ba6c2b_1708831734785]
[2024-02-25T03:28:54,885][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_ba4833_1708831734785],
remoteContainer[9903b5cd1588437bac195ce2a46989b1_G11]
[2024-02-25T03:28:54,887][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:28:54,887][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:28:54,888][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_ba6c2b_1708831734785],
remoteContainer[72f450b5e0ac45b49a62ce277a8c1c7c_G20]
[2024-02-25T03:28:54,895][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:28:54,895][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:28:54,926][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:28:54,928][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:28:54,937][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba6c2b_1708831734785], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:28:54,937][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_ba6c2b_1708831734785], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:28:54,938][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:28:54,938][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:54,947][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_ba6c2b_1708831734785], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:28:54,947][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:28:54,947][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:54,948][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_ba6c2b_1708831734785],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:28:54,965][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba4833_1708831734785], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:28:54,966][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_ba4833_1708831734785], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:28:54,980][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba6c2b_1708831734785], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:28:54,980][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_ba6c2b_1708831734785], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:28:54,986][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:28:54,986][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:54,988][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_ba6c2b_1708831734785], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:28:54,988][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:28:54,995][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_ba4833_1708831734785], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:28:54,996][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:28:54,996][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:54,997][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_ba4833_1708831734785],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:28:55,007][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba4833_1708831734785], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:28:55,008][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_ba4833_1708831734785], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:28:55,017][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver],
linkName[LN_9d3508_1708831735016_c7c_G20], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:28:55,025][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_ba4833_1708831734785], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:28:55,025][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:28:55,026][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver],
linkName[LN_68bbbf_1708831735025_9b1_G11], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:28:55,039][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver],
linkName[LN_68bbbf_1708831735025_9b1_G11], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@60adf2f
3}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:55,048][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], linkName[LN_68bbbf_1708831735025_9b1_G11], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:28:55,056][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver],
linkName[LN_9d3508_1708831735016_c7c_G20], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@eedf9fc
}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:28:55,066][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], linkName[LN_9d3508_1708831735016_c7c_G20], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:28:55,068][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: EH client and receiver creation finished
[2024-02-25T03:28:55,049][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: EH client and receiver creation finished
[2024-02-25T03:29:24,613][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: creating new pump
[2024-02-25T03:29:24,614][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: Creating and opening event processor
instance
[2024-02-25T03:29:24,625][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is opening.
[2024-02-25T03:29:24,625][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: Opening EH client
[2024-02-25T03:29:24,626][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_0be1c1_1708831764625], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:29:24,626][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_0be1c1_1708831764625] reactor.onReactorInit
[2024-02-25T03:29:24,626][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_0be1c1_1708831764625]
[2024-02-25T03:29:24,627][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_0be1c1_1708831764625], errorCondition[null], errorDescription[null]
[2024-02-25T03:29:24,627][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_0be1c1_1708831764625]
[2024-02-25T03:29:24,697][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: creating new pump
[2024-02-25T03:29:24,697][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: Creating and opening event processor
instance
[2024-02-25T03:29:24,704][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is opening.
[2024-02-25T03:29:24,705][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: Opening EH client
[2024-02-25T03:29:24,705][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_88d1fa_1708831764705], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:29:24,705][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_88d1fa_1708831764705] reactor.onReactorInit
[2024-02-25T03:29:24,706][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_88d1fa_1708831764705]
[2024-02-25T03:29:24,706][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_88d1fa_1708831764705], errorCondition[null], errorDescription[null]
[2024-02-25T03:29:24,706][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_88d1fa_1708831764705]
[2024-02-25T03:29:24,754][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_0be1c1_1708831764625],
remoteContainer[8c430f54cd3e424d9acf5479afe7ad90_G21]
[2024-02-25T03:29:24,755][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:29:24,755][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:29:24,756][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:29:24,756][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_0be1c1_1708831764625], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:29:24,757][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_0be1c1_1708831764625], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:29:24,764][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:29:24,764][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:29:24,767][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_0be1c1_1708831764625], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:29:24,767][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:29:24,767][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:29:24,767][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_0be1c1_1708831764625],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:29:24,775][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_0be1c1_1708831764625], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:29:24,775][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_0be1c1_1708831764625], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:29:24,777][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_0be1c1_1708831764625], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:29:24,777][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:29:24,778][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver],
linkName[LN_3f6fb9_1708831764778_d90_G21], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:29:24,796][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver],
linkName[LN_3f6fb9_1708831764778_d90_G21], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@796a031
f}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:29:24,796][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], linkName[LN_3f6fb9_1708831764778_d90_G21], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:29:24,798][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: EH client and receiver creation finished
[2024-02-25T03:29:24,827][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_88d1fa_1708831764705],
remoteContainer[3bb97820beda43f7a42712dc1b8ade07_G30]
[2024-02-25T03:29:24,828][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:29:24,828][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:29:24,837][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:29:24,838][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_88d1fa_1708831764705], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:29:24,846][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_88d1fa_1708831764705], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:29:24,847][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:29:24,847][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:29:24,856][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_88d1fa_1708831764705], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:29:24,857][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:29:24,858][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:29:24,858][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_88d1fa_1708831764705],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:29:24,867][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_88d1fa_1708831764705], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:29:24,867][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_88d1fa_1708831764705], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:29:24,875][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_88d1fa_1708831764705], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:29:24,875][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:29:24,875][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver],
linkName[LN_c977a7_1708831764875_e07_G30], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:29:24,885][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver],
linkName[LN_c977a7_1708831764875_e07_G30], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@4e831d2
5}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:29:24,887][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], linkName[LN_c977a7_1708831764875_e07_G30], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:29:24,888][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: EH client and receiver creation finished
[2024-02-25T03:31:09,677][WARN ][logstash.runner ] SIGTERM received.
Shutting down.
[2024-02-25T03:31:10,487][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Unregistering
Event Hub this can take a while... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:31:10,488][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Stopping event processing
[2024-02-25T03:31:10,488][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Shutting down all pumps
[2024-02-25T03:31:10,488][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: closing pump for reason Shutdown
[2024-02-25T03:31:10,489][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: pump shutdown for reason Shutdown
[2024-02-25T03:31:10,489][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: closing pump for reason Shutdown
[2024-02-25T03:31:10,489][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: pump shutdown for reason Shutdown
[2024-02-25T03:31:10,489][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: Setting receive handler to null
[2024-02-25T03:31:10,490][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: Setting receive handler to null
[2024-02-25T03:31:10,506][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Unregistering
Event Hub this can take a while... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:31:10,507][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Stopping event processing
[2024-02-25T03:31:10,507][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Shutting down all pumps
[2024-02-25T03:31:10,507][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: closing pump for reason Shutdown
[2024-02-25T03:31:10,507][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: pump shutdown for reason Shutdown
[2024-02-25T03:31:10,507][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: closing pump for reason Shutdown
[2024-02-25T03:31:10,507][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: pump shutdown for reason Shutdown
[2024-02-25T03:31:10,507][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: Setting receive handler to null
[2024-02-25T03:31:10,507][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: Setting receive handler to null
[2024-02-25T03:31:14,788][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:14,790][ERROR][org.logstash.execution.ShutdownWatcherExt] The
shutdown process appears to be stalled due to busy or blocked plugins. Check the
logs for more information.
[2024-02-25T03:31:14,969][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (0) as per the request.
[2024-02-25T03:31:14,969][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: Closing EH receiver
[2024-02-25T03:31:14,969][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625]
[2024-02-25T03:31:14,969][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver]
[2024-02-25T03:31:14,969][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:31:14,970][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver],
linkName[LN_3f6fb9_1708831764778_d90_G21], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:14,970][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver],
linkName[LN_3f6fb9_1708831764778_d90_G21], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:14,971][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_0be1c1_1708831764625], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:31:14,977][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-
InternalReceiver], linkName[LN_3f6fb9_1708831764778_d90_G21], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:14,977][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_a5dc87_1708831764755_MF_0be1c1_1708831764625-InternalReceiver],
linkName[LN_3f6fb9_1708831764778_d90_G21], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:14,977][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_0be1c1_1708831764625], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:31:14,977][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 0: Closing EH client
[2024-02-25T03:31:14,977][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_b4ca67_1708831764625]
[2024-02-25T03:31:14,977][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_0be1c1_1708831764625]
[2024-02-25T03:31:14,978][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_0be1c1_1708831764625], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:14,978][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:14,978][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:14,978][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:14,978][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_0be1c1_1708831764625],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:31:14,980][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:14,980][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:14,980][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:14,980][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:14,980][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_0be1c1_1708831764625],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:31:14,981][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_0be1c1_1708831764625], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:31:14,981][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_0be1c1_1708831764625],
errorCondition[null], errorDescription[null]
[2024-02-25T03:31:14,981][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_0be1c1_1708831764625], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:31:14,981][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_0be1c1_1708831764625], error[n/a]
[2024-02-25T03:31:14,981][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_0be1c1_1708831764625], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:31:14,981][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_0be1c1_1708831764625], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:31:14,981][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_0be1c1_1708831764625], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:31:14,987][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_0be1c1_1708831764625], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0], condition[null],
description[null]
[2024-02-25T03:31:14,987][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_0be1c1_1708831764625], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:14,987][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_0be1c1_1708831764625], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:31:14,999][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is closing.
(reason=Shutdown)
[2024-02-25T03:31:19,806][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:23,925][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (2) as per the request.
[2024-02-25T03:31:23,925][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: Closing EH receiver
[2024-02-25T03:31:23,925][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_15446e_1708831734926_MF_ba6c2b_1708831734785]
[2024-02-25T03:31:23,925][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver]
[2024-02-25T03:31:23,925][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:31:23,926][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver],
linkName[LN_9d3508_1708831735016_c7c_G20], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:23,926][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver],
linkName[LN_9d3508_1708831735016_c7c_G20], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:23,926][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], entityName[MF_ba6c2b_1708831734785], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:31:23,928][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-
InternalReceiver], linkName[LN_9d3508_1708831735016_c7c_G20], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:23,928][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_15446e_1708831734926_MF_ba6c2b_1708831734785-InternalReceiver],
linkName[LN_9d3508_1708831735016_c7c_G20], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:23,928][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], entityName[MF_ba6c2b_1708831734785], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:31:23,928][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: 2: Closing EH client
[2024-02-25T03:31:23,928][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_7ac8ad_1708831734785]
[2024-02-25T03:31:23,928][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_ba6c2b_1708831734785]
[2024-02-25T03:31:23,929][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_ba6c2b_1708831734785], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:23,930][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:23,930][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:23,930][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:23,930][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_ba6c2b_1708831734785],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:31:23,936][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:23,936][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:23,936][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:23,936][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:23,936][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_ba6c2b_1708831734785],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:31:23,936][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba6c2b_1708831734785], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:31:23,936][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_ba6c2b_1708831734785],
errorCondition[null], errorDescription[null]
[2024-02-25T03:31:23,937][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_ba6c2b_1708831734785], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:31:23,937][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_ba6c2b_1708831734785], error[n/a]
[2024-02-25T03:31:23,937][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_ba6c2b_1708831734785], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:31:23,937][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_ba6c2b_1708831734785], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:31:23,937][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_ba6c2b_1708831734785], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:31:23,937][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_ba6c2b_1708831734785], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2], condition[null],
description[null]
[2024-02-25T03:31:23,937][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_ba6c2b_1708831734785], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:23,937][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba6c2b_1708831734785], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:31:23,938][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is closing.
(reason=Shutdown)
[2024-02-25T03:31:23,938][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
19947832-0294-42b6-9682-30e15befea9f: Partition manager exiting
[2024-02-25T03:31:23,938][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is closed.
[2024-02-25T03:31:24,833][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:29,847][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:34,860][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:39,873][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:44,886][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:49,898][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:54,734][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (3) as per the request.
[2024-02-25T03:31:54,734][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: Closing EH receiver
[2024-02-25T03:31:54,734][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_22e3e4_1708831734906_MF_ba4833_1708831734785]
[2024-02-25T03:31:54,734][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver]
[2024-02-25T03:31:54,734][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:31:54,735][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver],
linkName[LN_68bbbf_1708831735025_9b1_G11], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:54,735][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver],
linkName[LN_68bbbf_1708831735025_9b1_G11], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:54,735][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], entityName[MF_ba4833_1708831734785], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:31:54,736][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-
InternalReceiver], linkName[LN_68bbbf_1708831735025_9b1_G11], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:54,736][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_22e3e4_1708831734906_MF_ba4833_1708831734785-InternalReceiver],
linkName[LN_68bbbf_1708831735025_9b1_G11], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:54,737][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], entityName[MF_ba4833_1708831734785], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:31:54,737][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 3: Closing EH client
[2024-02-25T03:31:54,737][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_59c78e_1708831734784]
[2024-02-25T03:31:54,737][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_ba4833_1708831734785]
[2024-02-25T03:31:54,738][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_ba4833_1708831734785], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:54,738][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:54,738][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:54,738][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:54,738][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_ba4833_1708831734785],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:31:54,744][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:54,744][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:54,744][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:54,744][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:31:54,744][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_ba4833_1708831734785],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:31:54,744][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba4833_1708831734785], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:31:54,744][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_ba4833_1708831734785],
errorCondition[null], errorDescription[null]
[2024-02-25T03:31:54,744][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_ba4833_1708831734785], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:31:54,745][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_ba4833_1708831734785], error[n/a]
[2024-02-25T03:31:54,745][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_ba4833_1708831734785], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:31:54,745][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_ba4833_1708831734785], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:31:54,745][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_ba4833_1708831734785], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:31:54,745][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_ba4833_1708831734785], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3], condition[null],
description[null]
[2024-02-25T03:31:54,745][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_ba4833_1708831734785], errorCondition[null], errorDescription[null]
[2024-02-25T03:31:54,745][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_ba4833_1708831734785], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:31:54,745][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is closing.
(reason=Shutdown)
[2024-02-25T03:31:54,911][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:31:59,929][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>27, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:32:02,881][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (1) as per the request.
[2024-02-25T03:32:02,881][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: Closing EH receiver
[2024-02-25T03:32:02,881][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_1c3444_1708831764828_MF_88d1fa_1708831764705]
[2024-02-25T03:32:02,881][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver]
[2024-02-25T03:32:02,881][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:32:02,882][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver],
linkName[LN_c977a7_1708831764875_e07_G30], errorCondition[null],
errorDescription[null]
[2024-02-25T03:32:02,882][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver],
linkName[LN_c977a7_1708831764875_e07_G30], errorCondition[null],
errorDescription[null]
[2024-02-25T03:32:02,882][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], entityName[MF_88d1fa_1708831764705], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:32:02,883][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-
InternalReceiver], linkName[LN_c977a7_1708831764875_e07_G30], errorCondition[null],
errorDescription[null]
[2024-02-25T03:32:02,883][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_1c3444_1708831764828_MF_88d1fa_1708831764705-InternalReceiver],
linkName[LN_c977a7_1708831764875_e07_G30], errorCondition[null],
errorDescription[null]
[2024-02-25T03:32:02,883][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], entityName[MF_88d1fa_1708831764705], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:32:02,883][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: 1: Closing EH client
[2024-02-25T03:32:02,884][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_054229_1708831764705]
[2024-02-25T03:32:02,884][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_88d1fa_1708831764705]
[2024-02-25T03:32:02,884][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_88d1fa_1708831764705], errorCondition[null], errorDescription[null]
[2024-02-25T03:32:02,885][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:32:02,885][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:32:02,885][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:32:02,885][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_88d1fa_1708831764705],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:32:02,888][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_88d1fa_1708831764705],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_88d1fa_1708831764705], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_88d1fa_1708831764705],
errorCondition[null], errorDescription[null]
[2024-02-25T03:32:02,889][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_88d1fa_1708831764705], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_88d1fa_1708831764705], error[n/a]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_88d1fa_1708831764705], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_88d1fa_1708831764705], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:32:02,889][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_88d1fa_1708831764705], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:32:02,889][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_88d1fa_1708831764705], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1], condition[null],
description[null]
[2024-02-25T03:32:02,889][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_88d1fa_1708831764705], errorCondition[null], errorDescription[null]
[2024-02-25T03:32:02,889][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_88d1fa_1708831764705], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:32:02,890][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is closing.
(reason=Shutdown)
[2024-02-25T03:32:02,890][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
4cd28fe3-b5e1-46de-ba75-026c0ef1cf4d: Partition manager exiting
[2024-02-25T03:32:02,890][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is closed.
[2024-02-25T03:32:03,442][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline terminated {"pipeline.id"=>"azure_waf_access"}
[2024-02-25T03:32:04,031][INFO ][logstash.pipelinesregistry] Removed pipeline from
registry successfully {:pipeline_id=>:azure_waf_access}
[2024-02-25T03:32:04,129][INFO ][logstash.runner ] Logstash shut down.
[2024-02-25T03:33:43,762][INFO ][logstash.runner ] Log4j configuration
path used is: /etc/logstash/log4j2.properties
[2024-02-25T03:33:43,784][INFO ][logstash.runner ] Starting Logstash
{"logstash.version"=>"8.11.4", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02
1abae2700f OpenJDK 64-Bit Server VM 17.0.9+9 on 17.0.9+9 +indy +jit [x86_64-
linux]"}
[2024-02-25T03:33:43,794][INFO ][logstash.runner ] JVM bootstrap flags: [-
Xms4g, -Xmx4g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -
Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -
Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -
Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true,
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-
UNNAMED, -Djdk.io.File.enableADS=true,
--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED,
--add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-
UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-
opens=java.base/sun.nio.ch=ALL-UNNAMED,
--add-opens=java.management/sun.management=ALL-UNNAMED]
[2024-02-25T03:33:43,813][DEBUG][logstash.modules.scaffold] Found module
{:module_name=>"fb_apache",
:directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2024-02-25T03:33:43,813][DEBUG][logstash.plugins.registry] Adding plugin to the
registry
{:name=>"fb_apache", :type=>:modules, :class=>#<LogStash::Modules::Scaffold:0xdff04
58 @directory="/usr/share/logstash/modules/fb_apache/configuration",
@module_name="fb_apache", @kibana_version_parts=["6", "0", "0"]>}
[2024-02-25T03:33:43,814][DEBUG][logstash.modules.scaffold] Found module
{:module_name=>"netflow",
:directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2024-02-25T03:33:43,821][DEBUG][logstash.plugins.registry] Adding plugin to the
registry
{:name=>"netflow", :type=>:modules, :class=>#<LogStash::Modules::Scaffold:0x64bf34e
4 @directory="/usr/share/logstash/modules/netflow/configuration",
@module_name="netflow", @kibana_version_parts=["6", "0", "0"]>}
[2024-02-25T03:33:43,907][DEBUG][logstash.runner ] Setting global
FieldReference escape style: none
[2024-02-25T03:33:44,559][DEBUG][logstash.runner ] -------- Logstash
Settings (* means modified) ---------
[2024-02-25T03:33:44,559][DEBUG][logstash.runner ] allow_superuser: true
[2024-02-25T03:33:44,560][DEBUG][logstash.runner ] node.name: "zsm001-
0z9019"
[2024-02-25T03:33:44,560][DEBUG][logstash.runner ] *path.data:
"/var/lib/logstash" (default: "/usr/share/logstash/data")
[2024-02-25T03:33:44,566][DEBUG][logstash.runner ] modules.cli:
#<Java::OrgLogstashUtil::ModulesSettingArray: []>
[2024-02-25T03:33:44,566][DEBUG][logstash.runner ] modules: []
[2024-02-25T03:33:44,566][DEBUG][logstash.runner ] modules_list: []
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ] modules_variable_list:
[]
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ] modules_setup: false
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ] config.test_and_exit:
false
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ]
*config.reload.automatic: true (default: false)
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ] config.reload.interval:
#<Java::OrgLogstashUtil::TimeValue:0x45da0d4>
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ]
*config.support_escapes: true (default: false)
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ]
config.field_reference.escape_style: "none"
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ] event_api.tags.illegal:
"rename"
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ] metric.collect: true
[2024-02-25T03:33:44,567][DEBUG][logstash.runner ] pipeline.id: "main"
[2024-02-25T03:33:44,568][DEBUG][logstash.runner ] pipeline.system: false
[2024-02-25T03:33:44,568][DEBUG][logstash.runner ] pipeline.workers: 4
[2024-02-25T03:33:44,568][DEBUG][logstash.runner ] pipeline.batch.size:
125
[2024-02-25T03:33:44,568][DEBUG][logstash.runner ] pipeline.batch.delay:
50
[2024-02-25T03:33:44,568][DEBUG][logstash.runner ]
pipeline.unsafe_shutdown: false
[2024-02-25T03:33:44,568][DEBUG][logstash.runner ] pipeline.reloadable:
true
[2024-02-25T03:33:44,568][DEBUG][logstash.runner ]
pipeline.plugin_classloaders: false
[2024-02-25T03:33:44,568][DEBUG][logstash.runner ] pipeline.separate_logs:
false
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ] pipeline.ordered:
"auto"
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ]
pipeline.ecs_compatibility: "v8"
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ] path.plugins: []
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ] config.debug: false
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ] *log.level: "debug"
(default: "info")
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ] version: false
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ] help: false
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ] enable-local-plugin-
development: false
[2024-02-25T03:33:44,569][DEBUG][logstash.runner ] log.format: "plain"
[2024-02-25T03:33:44,570][DEBUG][logstash.runner ] api.enabled: true
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ] api.http.host:
"127.0.0.1"
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ] api.http.port:
9600..9700
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ] api.environment:
"production"
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ] api.auth.type: "none"
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ]
api.auth.basic.password_policy.mode: "WARN"
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ]
api.auth.basic.password_policy.length.minimum: 8
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ]
api.auth.basic.password_policy.include.upper: "REQUIRED"
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ]
api.auth.basic.password_policy.include.lower: "REQUIRED"
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ]
api.auth.basic.password_policy.include.digit: "REQUIRED"
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ]
api.auth.basic.password_policy.include.symbol: "OPTIONAL"
[2024-02-25T03:33:44,578][DEBUG][logstash.runner ] api.ssl.enabled: false
[2024-02-25T03:33:44,579][DEBUG][logstash.runner ]
api.ssl.supported_protocols: []
[2024-02-25T03:33:44,579][DEBUG][logstash.runner ] *queue.type:
"persisted" (default: "memory")
[2024-02-25T03:33:44,579][DEBUG][logstash.runner ] queue.drain: false
[2024-02-25T03:33:44,579][DEBUG][logstash.runner ] queue.page_capacity:
67108864
[2024-02-25T03:33:44,586][DEBUG][logstash.runner ] *queue.max_bytes:
5368709120 (default: 1073741824)
[2024-02-25T03:33:44,587][DEBUG][logstash.runner ] queue.max_events: 0
[2024-02-25T03:33:44,587][DEBUG][logstash.runner ] queue.checkpoint.acks:
1024
[2024-02-25T03:33:44,587][DEBUG][logstash.runner ]
queue.checkpoint.writes: 1024
[2024-02-25T03:33:44,587][DEBUG][logstash.runner ]
queue.checkpoint.interval: 1000
[2024-02-25T03:33:44,587][DEBUG][logstash.runner ] queue.checkpoint.retry:
true
[2024-02-25T03:33:44,587][DEBUG][logstash.runner ]
dead_letter_queue.enable: false
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ]
dead_letter_queue.max_bytes: 1073741824
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ]
dead_letter_queue.flush_interval: 5000
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ]
dead_letter_queue.storage_policy: "drop_newer"
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ] slowlog.threshold.warn:
#<Java::OrgLogstashUtil::TimeValue:0x6a9f41ff>
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ] slowlog.threshold.info:
#<Java::OrgLogstashUtil::TimeValue:0x57a0f6a2>
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ]
slowlog.threshold.debug: #<Java::OrgLogstashUtil::TimeValue:0x5def348b>
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ]
slowlog.threshold.trace: #<Java::OrgLogstashUtil::TimeValue:0x4e1210de>
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ] keystore.classname:
"org.logstash.secret.store.backend.JavaKeyStore"
[2024-02-25T03:33:44,588][DEBUG][logstash.runner ] *keystore.file:
"/etc/logstash/logstash.keystore" (default:
"/usr/share/logstash/config/logstash.keystore")
[2024-02-25T03:33:44,589][DEBUG][logstash.runner ] *path.queue:
"/var/lib/logstash/queue" (default: "/usr/share/logstash/data/queue")
[2024-02-25T03:33:44,589][DEBUG][logstash.runner ]
*path.dead_letter_queue: "/var/lib/logstash/dead_letter_queue" (default:
"/usr/share/logstash/data/dead_letter_queue")
[2024-02-25T03:33:44,589][DEBUG][logstash.runner ] *path.settings:
"/etc/logstash" (default: "/usr/share/logstash/config")
[2024-02-25T03:33:44,589][DEBUG][logstash.runner ] *path.logs:
"/var/log/logstash" (default: "/usr/share/logstash/logs")
[2024-02-25T03:33:44,589][DEBUG][logstash.runner ]
xpack.monitoring.enabled: false
[2024-02-25T03:33:44,590][DEBUG][logstash.runner ]
xpack.monitoring.elasticsearch.hosts: ["http://localhost:9200"]
[2024-02-25T03:33:44,590][DEBUG][logstash.runner ]
xpack.monitoring.collection.interval:
#<Java::OrgLogstashUtil::TimeValue:0x7e7047a2>
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
xpack.monitoring.collection.timeout_interval:
#<Java::OrgLogstashUtil::TimeValue:0x17b59bc>
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
xpack.monitoring.elasticsearch.username: "logstash_system"
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
xpack.monitoring.elasticsearch.ssl.verification_mode: "full"
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
xpack.monitoring.elasticsearch.ssl.cipher_suites: []
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
xpack.monitoring.elasticsearch.sniffing: false
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
xpack.monitoring.collection.pipeline.details.enabled: true
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
xpack.monitoring.collection.config.enabled: true
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ] monitoring.enabled:
false
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
monitoring.elasticsearch.hosts: ["http://localhost:9200"]
[2024-02-25T03:33:44,597][DEBUG][logstash.runner ]
monitoring.collection.interval: #<Java::OrgLogstashUtil::TimeValue:0x70d49a95>
[2024-02-25T03:33:44,598][DEBUG][logstash.runner ]
monitoring.collection.timeout_interval:
#<Java::OrgLogstashUtil::TimeValue:0x35b331de>
[2024-02-25T03:33:44,598][DEBUG][logstash.runner ]
monitoring.elasticsearch.username: "logstash_system"
[2024-02-25T03:33:44,598][DEBUG][logstash.runner ]
monitoring.elasticsearch.ssl.verification_mode: "full"
[2024-02-25T03:33:44,598][DEBUG][logstash.runner ]
monitoring.elasticsearch.ssl.cipher_suites: []
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
monitoring.elasticsearch.sniffing: false
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
monitoring.collection.pipeline.details.enabled: true
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
monitoring.collection.config.enabled: true
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ] node.uuid: ""
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
xpack.management.enabled: false
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
xpack.management.logstash.poll_interval:
#<Java::OrgLogstashUtil::TimeValue:0x6c00601e>
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
xpack.management.pipeline.id: ["main"]
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
xpack.management.elasticsearch.username: "logstash_system"
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
xpack.management.elasticsearch.hosts: ["https://localhost:9200"]
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
xpack.management.elasticsearch.ssl.cipher_suites: []
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
xpack.management.elasticsearch.ssl.verification_mode: "full"
[2024-02-25T03:33:44,599][DEBUG][logstash.runner ]
xpack.management.elasticsearch.sniffing: false
[2024-02-25T03:33:44,600][DEBUG][logstash.runner ]
xpack.geoip.downloader.enabled: true
[2024-02-25T03:33:44,600][DEBUG][logstash.runner ] ---------------
Logstash Settings -------------------
[2024-02-25T03:33:44,950][DEBUG][logstash.agent ] Initializing API
WebServer {"api.http.host"=>"127.0.0.1", "api.http.port"=>9600..9700,
"api.ssl.enabled"=>false, "api.auth.type"=>"none", "api.environment"=>"production"}
[2024-02-25T03:33:45,039][DEBUG][logstash.api.service ] [api-service] start
[2024-02-25T03:33:45,282][DEBUG][logstash.agent ] Setting up metric
collection
[2024-02-25T03:33:45,544][DEBUG][logstash.instrument.periodicpoller.os] Starting
{:polling_interval=>5, :polling_timeout=>120}
[2024-02-25T03:33:46,079][DEBUG][logstash.instrument.periodicpoller.jvm] Starting
{:polling_interval=>5, :polling_timeout=>120}
[2024-02-25T03:33:46,259][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:33:46,276][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:33:46,309][DEBUG]
[logstash.instrument.periodicpoller.persistentqueue] Starting
{:polling_interval=>5, :polling_timeout=>120}
[2024-02-25T03:33:46,347][DEBUG]
[logstash.instrument.periodicpoller.deadletterqueue] Starting
{:polling_interval=>5, :polling_timeout=>120}
[2024-02-25T03:33:46,358][DEBUG][logstash.instrument.periodicpoller.flowrate]
Starting {:polling_interval=>5, :polling_timeout=>120}
[2024-02-25T03:33:47,408][DEBUG][logstash.agent ] Starting agent
[2024-02-25T03:33:47,463][DEBUG][logstash.agent ] Starting API WebServer
(puma)
[2024-02-25T03:33:47,642][DEBUG][logstash.agent ] Trying to start API
WebServer {:port=>9600, :ssl_enabled=>false}
[2024-02-25T03:33:47,662][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:33:47,681][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:33:47,923][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>1}
[2024-02-25T03:33:47,939][INFO ][logstash.agent ] Successfully started
Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2024-02-25T03:33:47,954][DEBUG][logstash.agent ] Executing action
{:action=>LogStash::PipelineAction::Create/pipeline_id:azure_waf_access}
[2024-02-25T03:33:47,994][DEBUG][org.logstash.secret.store.SecretStoreFactory]
Attempting to exists or secret store with implementation:
org.logstash.secret.store.backend.JavaKeyStore
[2024-02-25T03:33:49,725][INFO ][org.reflections.Reflections] Reflections took 231
ms to scan 1 urls, producing 131 keys and 463 values
[2024-02-25T03:33:49,784][DEBUG][org.logstash.secret.store.SecretStoreFactory]
Attempting to exists or secret store with implementation:
org.logstash.secret.store.backend.JavaKeyStore
[2024-02-25T03:33:50,002][DEBUG][logstash.plugins.registry] On demand adding plugin
to the registry
{:name=>"azure_event_hubs", :type=>"input", :class=>LogStash::Inputs::AzureEventHub
s}
[2024-02-25T03:33:50,195][DEBUG][logstash.plugins.registry] On demand adding plugin
to the registry {:name=>"plain", :type=>"codec", :class=>LogStash::Codecs::Plain}
[2024-02-25T03:33:50,346][DEBUG][logstash.codecs.plain ] config
LogStash::Codecs::Plain/@id = "plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1"
[2024-02-25T03:33:50,347][DEBUG][logstash.codecs.plain ] config
LogStash::Codecs::Plain/@enable_metric = true
[2024-02-25T03:33:50,354][DEBUG][logstash.codecs.plain ] config
LogStash::Codecs::Plain/@charset = "UTF-8"
[2024-02-25T03:33:50,446][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@consumer_group = "$Default"
[2024-02-25T03:33:50,447][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@event_hub_connections = ["Endpoint=sb://yazure-
eventhub-
apg01.servicebus.windows.net/;SharedAccessKeyName=ListningKeyForLogstash;SharedAcce
ssKey=<redacted>/bkSDWI4Go02BP8N5hlvANQomVJjlcPn4=;EntityPath=insights-logs-
applicationgatewayaccesslog", "Endpoint=sb://yazure-eventhub-
apg02.servicebus.windows.net/;SharedAccessKeyName=ListningKeyForLogstash;SharedAcce
ssKey=<redacted>/s0nMM=;EntityPath=insights-logs-applicationgatewayaccesslog"]
[2024-02-25T03:33:50,447][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@threads = 8
[2024-02-25T03:33:50,447][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@id =
"e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8"
[2024-02-25T03:33:50,447][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@type = "azure_waf"
[2024-02-25T03:33:50,447][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@initial_position = "end"
[2024-02-25T03:33:50,447][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@decorate_events = true
[2024-02-25T03:33:50,448][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@event_hubs = ["dummy"]
[2024-02-25T03:33:50,454][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@enable_metric = true
[2024-02-25T03:33:50,466][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@codec = <LogStash::Codecs::Plain
id=>"plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1", enable_metric=>true,
charset=>"UTF-8">
[2024-02-25T03:33:50,467][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@add_field = {}
[2024-02-25T03:33:50,467][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@config_mode = "basic"
[2024-02-25T03:33:50,467][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@max_batch_size = 125
[2024-02-25T03:33:50,467][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@prefetch_count = 300
[2024-02-25T03:33:50,467][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@receive_timeout = 60
[2024-02-25T03:33:50,467][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@initial_position_look_back = 86400
[2024-02-25T03:33:50,467][DEBUG][logstash.inputs.azureeventhubs] config
LogStash::Inputs::AzureEventHubs/@checkpoint_interval = 5
[2024-02-25T03:33:50,578][DEBUG][logstash.plugins.registry] On demand adding plugin
to the registry {:name=>"json", :type=>"filter", :class=>LogStash::Filters::Json}
[2024-02-25T03:33:50,609][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@source = "message"
[2024-02-25T03:33:50,615][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@id =
"13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007"
[2024-02-25T03:33:50,616][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@enable_metric = true
[2024-02-25T03:33:50,616][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@add_tag = []
[2024-02-25T03:33:50,616][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@remove_tag = []
[2024-02-25T03:33:50,616][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@add_field = {}
[2024-02-25T03:33:50,616][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@remove_field = []
[2024-02-25T03:33:50,616][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@periodic_flush = false
[2024-02-25T03:33:50,617][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@tag_on_failure = ["_jsonparsefailure"]
[2024-02-25T03:33:50,617][DEBUG][logstash.filters.json ] config
LogStash::Filters::Json/@skip_on_invalid_json = false
[2024-02-25T03:33:50,628][DEBUG][logstash.plugins.registry] On demand adding plugin
to the registry {:name=>"split", :type=>"filter", :class=>LogStash::Filters::Split}
[2024-02-25T03:33:50,647][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@field = "records"
[2024-02-25T03:33:50,647][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@id =
"c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c"
[2024-02-25T03:33:50,647][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@enable_metric = true
[2024-02-25T03:33:50,647][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@add_tag = []
[2024-02-25T03:33:50,648][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@remove_tag = []
[2024-02-25T03:33:50,648][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@add_field = {}
[2024-02-25T03:33:50,648][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@remove_field = []
[2024-02-25T03:33:50,648][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@periodic_flush = false
[2024-02-25T03:33:50,648][DEBUG][logstash.filters.split ] config
LogStash::Filters::Split/@terminator = "\n"
[2024-02-25T03:33:50,667][DEBUG][logstash.plugins.registry] On demand adding plugin
to the registry {:name=>"geoip", :type=>"filter", :class=>LogStash::Filters::GeoIP}
[2024-02-25T03:33:50,688][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@source = "[records][properties][clientIP]"
[2024-02-25T03:33:50,688][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@target = "geoip"
[2024-02-25T03:33:50,688][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@id =
"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"
[2024-02-25T03:33:50,688][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@enable_metric = true
[2024-02-25T03:33:50,688][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@add_tag = []
[2024-02-25T03:33:50,688][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@remove_tag = []
[2024-02-25T03:33:50,688][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@add_field = {}
[2024-02-25T03:33:50,688][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@remove_field = []
[2024-02-25T03:33:50,689][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@periodic_flush = false
[2024-02-25T03:33:50,689][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@default_database_type = "City"
[2024-02-25T03:33:50,689][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@cache_size = 1000
[2024-02-25T03:33:50,689][DEBUG][logstash.filters.geoip ] config
LogStash::Filters::GeoIP/@tag_on_failure = ["_geoip_lookup_failure"]
[2024-02-25T03:33:50,699][DEBUG][logstash.plugins.registry] On demand adding plugin
to the registry
{:name=>"elasticsearch", :type=>"output", :class=>LogStash::Outputs::ElasticSearch}
[2024-02-25T03:33:50,749][DEBUG][logstash.codecs.plain ] config
LogStash::Codecs::Plain/@id = "plain_f8a672fc-7d8f-4d46-babe-5cf362c946fd"
[2024-02-25T03:33:50,756][DEBUG][logstash.codecs.plain ] config
LogStash::Codecs::Plain/@enable_metric = true
[2024-02-25T03:33:50,756][DEBUG][logstash.codecs.plain ] config
LogStash::Codecs::Plain/@charset = "UTF-8"
[2024-02-25T03:33:50,867][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@password = <password>
[2024-02-25T03:33:50,887][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@hosts =
[https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-1.aws.found.io:9243]
[2024-02-25T03:33:50,887][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@ilm_enabled = "true"
[2024-02-25T03:33:50,887][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@ilm_rollover_alias = "yokogawa-azure-waf"
[2024-02-25T03:33:50,887][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@id =
"002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529"
[2024-02-25T03:33:50,887][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@ilm_policy = "yokogawa-ilm-policy"
[2024-02-25T03:33:50,888][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@user = "logstash_internal"
[2024-02-25T03:33:50,888][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@timeout = 120
[2024-02-25T03:33:50,888][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@ilm_pattern = "000001"
[2024-02-25T03:33:50,888][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@enable_metric = true
[2024-02-25T03:33:50,888][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@codec = <LogStash::Codecs::Plain
id=>"plain_f8a672fc-7d8f-4d46-babe-5cf362c946fd", enable_metric=>true,
charset=>"UTF-8">
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@workers = 1
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@ssl_certificate_verification = true
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@ssl_verification_mode = "full"
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@ssl_supported_protocols = []
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@sniffing = false
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@sniffing_delay = 5
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@failure_type_logging_whitelist = []
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@silence_errors_in_log = []
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@pool_max = 1000
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@pool_max_per_route = 100
[2024-02-25T03:33:50,889][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@resurrect_delay = 5
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@validate_after_inactivity = 10000
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@http_compression = true
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@compression_level = 1
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@custom_headers = {}
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@retry_initial_interval = 2
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@retry_max_interval = 64
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@dlq_custom_codes = []
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@dlq_on_failed_indexname_interpolation = true
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@data_stream_type = "logs"
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@data_stream_dataset = "generic"
[2024-02-25T03:33:50,890][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@data_stream_namespace = "default"
[2024-02-25T03:33:50,891][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@data_stream_sync_fields = true
[2024-02-25T03:33:50,891][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@data_stream_auto_routing = true
[2024-02-25T03:33:50,891][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@manage_template = true
[2024-02-25T03:33:50,891][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@template_overwrite = false
[2024-02-25T03:33:50,891][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@template_api = "auto"
[2024-02-25T03:33:50,891][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@parent = nil
[2024-02-25T03:33:50,891][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@join_field = nil
[2024-02-25T03:33:50,891][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@upsert = ""
[2024-02-25T03:33:50,898][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@doc_as_upsert = false
[2024-02-25T03:33:50,898][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@script = ""
[2024-02-25T03:33:50,898][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@script_type = "inline"
[2024-02-25T03:33:50,898][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@script_lang = "painless"
[2024-02-25T03:33:50,899][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@script_var_name = "event"
[2024-02-25T03:33:50,899][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@scripted_upsert = false
[2024-02-25T03:33:50,899][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@retry_on_conflict = 1
[2024-02-25T03:33:50,899][DEBUG][logstash.outputs.elasticsearch] config
LogStash::Outputs::ElasticSearch/@pipeline = nil
[2024-02-25T03:33:51,072][DEBUG][org.logstash.ackedqueue.QueueUpgrade] PQ version
file with correct version information (v2) found.
[2024-02-25T03:33:51,081][DEBUG][org.logstash.ackedqueue.Queue] opening head page:
1815, in: /var/lib/logstash/queue/azure_waf_access, with checkpoint: pageNum=1815,
firstUnackedPageNum=1815, firstUnackedSeqNum=4157119, minSeqNum=4157101,
elementCount=18, isFullyAcked=yes
[2024-02-25T03:33:51,243][DEBUG][org.logstash.ackedqueue.io.MmapPageIOV2] PageIO
recovery for '/var/lib/logstash/queue/azure_waf_access/page.1815' element index:18,
readNextElement exception: Element seqNum 0 is expected to be 4157119
[2024-02-25T03:33:51,270][DEBUG][org.logstash.ackedqueue.io.MmapPageIOV2] PageIO
deleting '/var/lib/logstash/queue/azure_waf_access/page.1815'
[2024-02-25T03:33:51,284][DEBUG][org.logstash.ackedqueue.io.FileCheckpointIO]
CheckpointIO deleting '/var/lib/logstash/queue/azure_waf_access/checkpoint.1815'
[2024-02-25T03:33:51,293][DEBUG][org.logstash.ackedqueue.Queue] created new head
page: MmapPageIOV2{file=/var/lib/logstash/queue/azure_waf_access/page.1816,
capacity=67108864, minSeqNum=0, elementCount=0, head=1}
[2024-02-25T03:33:51,336][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:33:51,346][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:33:51,365][INFO ][logstash.javapipeline ] Pipeline
`azure_waf_access` is configured with `pipeline.ecs_compatibility: v8` setting. All
plugins in this pipeline will default to `ecs_compatibility => v8` unless
explicitly configured otherwise.
[2024-02-25T03:33:51,426][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `input_throughput` in namespace
`[:stats, :pipelines, :azure_waf_access, :flow]`
[2024-02-25T03:33:51,427][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `filter_throughput` in namespace
`[:stats, :pipelines, :azure_waf_access, :flow]`
[2024-02-25T03:33:51,435][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `output_throughput` in namespace
`[:stats, :pipelines, :azure_waf_access, :flow]`
[2024-02-25T03:33:51,435][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `queue_backpressure` in namespace
`[:stats, :pipelines, :azure_waf_access, :flow]`
[2024-02-25T03:33:51,436][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_concurrency` in namespace
`[:stats, :pipelines, :azure_waf_access, :flow]`
[2024-02-25T03:33:51,444][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `queue_persisted_growth_events` in namespace
`[:stats, :pipelines, :azure_waf_access, :flow]`
[2024-02-25T03:33:51,445][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `queue_persisted_growth_bytes` in namespace
`[:stats, :pipelines, :azure_waf_access, :flow]`
[2024-02-25T03:33:51,446][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `throughput` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :inputs, :e921425eaa599df0a156e9
171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8, :flow]`
[2024-02-25T03:33:51,454][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_millis_per_event` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :filters, :c9dc54bab189bcc2e72ee
b2fbd060cc34f16257f502c7ae071523926284f8c3c, :flow]`
[2024-02-25T03:33:51,455][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_utilization` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :filters, :c9dc54bab189bcc2e72ee
b2fbd060cc34f16257f502c7ae071523926284f8c3c, :flow]`
[2024-02-25T03:33:51,455][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_millis_per_event` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :filters, :"13030e5da7228f05c45b
370a60d186125de0fce1dc2c99da1981116dcdcee007", :flow]`
[2024-02-25T03:33:51,456][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_utilization` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :filters, :"13030e5da7228f05c45b
370a60d186125de0fce1dc2c99da1981116dcdcee007", :flow]`
[2024-02-25T03:33:51,457][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_millis_per_event` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :filters, :b2323a9d19abd7b364189
6e41fcf9bd4c96b0c23f55974764be057edaa778ce9, :flow]`
[2024-02-25T03:33:51,457][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_utilization` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :filters, :b2323a9d19abd7b364189
6e41fcf9bd4c96b0c23f55974764be057edaa778ce9, :flow]`
[2024-02-25T03:33:51,464][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_millis_per_event` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :outputs, :"002863306c3be9a7ef2c
c1f5800ce366a73b96b72ca00b8328b725d162527529", :flow]`
[2024-02-25T03:33:51,465][DEBUG][org.logstash.execution.AbstractPipelineExt] Flow
metric registered: `worker_utilization` in namespace
`[:stats, :pipelines, :azure_waf_access, :plugins, :outputs, :"002863306c3be9a7ef2c
c1f5800ce366a73b96b72ca00b8328b725d162527529", :flow]`
[2024-02-25T03:33:51,476][DEBUG][logstash.javapipeline ] Starting pipeline
{:pipeline_id=>"azure_waf_access"}
[2024-02-25T03:33:51,528][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
New Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:33:51,616][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Normalizing http path {:path=>nil, :normalized=>nil}
[2024-02-25T03:33:52,316][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Elasticsearch pool URLs updated {:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:33:52,366][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Running health check to see if an Elasticsearch connection is working
{:healthcheck_url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b
5a.ap-northeast-1.aws.found.io:9243/", :path=>"/"}
[2024-02-25T03:33:53,353][WARN ][logstash.outputs.elasticsearch][azure_waf_access]
Restored connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:33:53,375][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Elasticsearch version determined (8.10.3) {:es_version=>8}
[2024-02-25T03:33:53,384][WARN ][logstash.outputs.elasticsearch][azure_waf_access]
Detected a 6.x and above cluster: the `type` event field won't be used to determine
the document _type {:es_version=>8}
[2024-02-25T03:33:53,524][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Not eligible for data streams because config contains one or more settings that are
not compatible with data streams: {"ilm_enabled"=>"true",
"ilm_rollover_alias"=>"yokogawa-azure-waf", "ilm_policy"=>"yokogawa-ilm-policy",
"ilm_pattern"=>"000001"}
[2024-02-25T03:33:53,542][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Data streams auto configuration (`data_stream => auto` or unset) resolved to
`false`
[2024-02-25T03:33:53,690][INFO ][logstash.filters.json ][azure_waf_access] ECS
compatibility is enabled but `target` option was not specified. This may cause
fields to be set at the top-level of the event where they are likely to clash with
the Elastic Common Schema. It is recommended to set the `target` option to avoid
potential schema conflicts (if your data is ECS compliant or non-conflicting, feel
free to ignore this message)
[2024-02-25T03:33:53,706][WARN ][logstash.filters.geoip ][azure_waf_access] ECS
expect `target` value `geoip` in ["client", "destination", "host", "observer",
"server", "source"]
[2024-02-25T03:33:53,820][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:33:53,992][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Attempting to install template {:template=>{"index_patterns"=>"yokogawa-azure-waf-
*",
"template"=>{"settings"=>{"index"=>{"mapping"=>{"total_fields"=>{"limit"=>10000}},
"refresh_interval"=>"5s"}, "index.lifecycle.name"=>"yokogawa-ilm-policy",
"index.lifecycle.rollover_alias"=>"yokogawa-azure-waf"},
"mappings"=>{"_meta"=>{"version"=>"8.0.1"}, "date_detection"=>false,
"dynamic_templates"=>[{"strings_as_keyword"=>{"mapping"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "match_mapping_type"=>"string"}}],
"properties"=>{"@timestamp"=>{"type"=>"date"},
"agent"=>{"properties"=>{"build"=>{"properties"=>{"original"=>{"ignore_above"=>1024
, "type"=>"keyword"}}}, "ephemeral_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"client"=>{"properties"=>{"address"=>{"ignore_above"=>1024, "type"=>"keyword"},
"as"=>{"properties"=>{"number"=>{"type"=>"long"},
"organization"=>{"properties"=>{"name"=>{"fields"=>{"text"=>{"type"=>"match_only_te
xt"}}, "ignore_above"=>1024, "type"=>"keyword"}}}}}, "bytes"=>{"type"=>"long"},
"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"geo"=>{"properties"=>{"city_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"location"=>{"type"=>"geo_point"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "postal_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timezone"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "ip"=>{"type"=>"ip"},
"mac"=>{"ignore_above"=>1024, "type"=>"keyword"},
"nat"=>{"properties"=>{"ip"=>{"type"=>"ip"}, "port"=>{"type"=>"long"}}},
"packets"=>{"type"=>"long"}, "port"=>{"type"=>"long"},
"registered_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subdomain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"top_level_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"user"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"email"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full_name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "roles"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"cloud"=>{"properties"=>{"account"=>{"properties"=>{"id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"availability_zone"=>{"ignore_above"=>1024, "type"=>"keyword"},
"instance"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"machine"=>{"properties"=>{"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"origin"=>{"properties"=>{"account"=>{"properties"=>{"id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"availability_zone"=>{"ignore_above"=>1024, "type"=>"keyword"},
"instance"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"machine"=>{"properties"=>{"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"project"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"provider"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region"=>{"ignore_above"=>1024, "type"=>"keyword"},
"service"=>{"properties"=>{"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"project"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"provider"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region"=>{"ignore_above"=>1024, "type"=>"keyword"},
"service"=>{"properties"=>{"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"target"=>{"properties"=>{"account"=>{"properties"=>{"id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"availability_zone"=>{"ignore_above"=>1024, "type"=>"keyword"},
"instance"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"machine"=>{"properties"=>{"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"project"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"provider"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region"=>{"ignore_above"=>1024, "type"=>"keyword"},
"service"=>{"properties"=>{"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}}}},
"container"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"image"=>{"properties"=>{"name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"tag"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "labels"=>{"type"=>"object"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"runtime"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"data_stream"=>{"properties"=>{"dataset"=>{"type"=>"constant_keyword"},
"namespace"=>{"type"=>"constant_keyword"}, "type"=>{"type"=>"constant_keyword"}}},
"destination"=>{"properties"=>{"address"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "as"=>{"properties"=>{"number"=>{"type"=>"long"},
"organization"=>{"properties"=>{"name"=>{"fields"=>{"text"=>{"type"=>"match_only_te
xt"}}, "ignore_above"=>1024, "type"=>"keyword"}}}}}, "bytes"=>{"type"=>"long"},
"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"geo"=>{"properties"=>{"city_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"location"=>{"type"=>"geo_point"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "postal_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timezone"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "ip"=>{"type"=>"ip"},
"mac"=>{"ignore_above"=>1024, "type"=>"keyword"},
"nat"=>{"properties"=>{"ip"=>{"type"=>"ip"}, "port"=>{"type"=>"long"}}},
"packets"=>{"type"=>"long"}, "port"=>{"type"=>"long"},
"registered_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subdomain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"top_level_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"user"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"email"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full_name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "roles"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"dll"=>{"properties"=>{"code_signature"=>{"properties"=>{"digest_algorithm"=>{"igno
re_above"=>1024, "type"=>"keyword"}, "exists"=>{"type"=>"boolean"},
"signing_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"status"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subject_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"team_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timestamp"=>{"type"=>"date"}, "trusted"=>{"type"=>"boolean"},
"valid"=>{"type"=>"boolean"}}},
"hash"=>{"properties"=>{"md5"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha1"=>{"ignore_above"=>1024, "type"=>"keyword"}, "sha256"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "sha512"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ssdeep"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}, "path"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "pe"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "company"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"file_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"imphash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"original_file_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"product"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"dns"=>{"properties"=>{"answers"=>{"properties"=>{"class"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "data"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}, "ttl"=>{"type"=>"long"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}, "type"=>"object"},
"header_flags"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "op_code"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "question"=>{"properties"=>{"class"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"registered_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subdomain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"top_level_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"resolved_ip"=>{"type"=>"ip"}, "response_code"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "type"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"ecs"=>{"properties"=>{"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"error"=>{"properties"=>{"code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"message"=>{"type"=>"match_only_text"},
"stack_trace"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"type"=>"wildcard"}, "type"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"event"=>{"properties"=>{"action"=>{"ignore_above"=>1024, "type"=>"keyword"},
"agent_id_status"=>{"ignore_above"=>1024, "type"=>"keyword"},
"category"=>{"ignore_above"=>1024, "type"=>"keyword"},
"code"=>{"ignore_above"=>1024, "type"=>"keyword"}, "created"=>{"type"=>"date"},
"dataset"=>{"ignore_above"=>1024, "type"=>"keyword"}, "duration"=>{"type"=>"long"},
"end"=>{"type"=>"date"}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "ingested"=>{"type"=>"date"},
"kind"=>{"ignore_above"=>1024, "type"=>"keyword"}, "module"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "original"=>{"doc_values"=>false, "index"=>false,
"type"=>"keyword"}, "outcome"=>{"ignore_above"=>1024, "type"=>"keyword"},
"provider"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reason"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reference"=>{"ignore_above"=>1024, "type"=>"keyword"},
"risk_score"=>{"type"=>"float"}, "risk_score_norm"=>{"type"=>"float"},
"sequence"=>{"type"=>"long"}, "severity"=>{"type"=>"long"},
"start"=>{"type"=>"date"}, "timezone"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}, "url"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "faas"=>{"properties"=>{"coldstart"=>{"type"=>"boolean"},
"execution"=>{"ignore_above"=>1024, "type"=>"keyword"},
"trigger"=>{"properties"=>{"request_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}, "type"=>"nested"}}},
"file"=>{"properties"=>{"accessed"=>{"type"=>"date"},
"attributes"=>{"ignore_above"=>1024, "type"=>"keyword"},
"code_signature"=>{"properties"=>{"digest_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "exists"=>{"type"=>"boolean"},
"signing_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"status"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subject_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"team_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timestamp"=>{"type"=>"date"}, "trusted"=>{"type"=>"boolean"},
"valid"=>{"type"=>"boolean"}}}, "created"=>{"type"=>"date"},
"ctime"=>{"type"=>"date"}, "device"=>{"ignore_above"=>1024, "type"=>"keyword"},
"directory"=>{"ignore_above"=>1024, "type"=>"keyword"},
"drive_letter"=>{"ignore_above"=>1, "type"=>"keyword"},
"elf"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024, "type"=>"keyword"},
"byte_order"=>{"ignore_above"=>1024, "type"=>"keyword"},
"cpu_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"creation_date"=>{"type"=>"date"}, "exports"=>{"type"=>"flattened"},
"header"=>{"properties"=>{"abi_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"class"=>{"ignore_above"=>1024, "type"=>"keyword"}, "data"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "entrypoint"=>{"type"=>"long"},
"object_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"os_abi"=>{"ignore_above"=>1024, "type"=>"keyword"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"imports"=>{"type"=>"flattened"},
"sections"=>{"properties"=>{"chi2"=>{"type"=>"long"}, "entropy"=>{"type"=>"long"},
"flags"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "physical_offset"=>{"ignore_above"=>1024, "type"=>"keyword"},
"physical_size"=>{"type"=>"long"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "virtual_address"=>{"type"=>"long"},
"virtual_size"=>{"type"=>"long"}}, "type"=>"nested"},
"segments"=>{"properties"=>{"sections"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}, "type"=>"nested"},
"shared_libraries"=>{"ignore_above"=>1024, "type"=>"keyword"},
"telfhash"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"extension"=>{"ignore_above"=>1024, "type"=>"keyword"},
"fork_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"gid"=>{"ignore_above"=>1024, "type"=>"keyword"}, "group"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "hash"=>{"properties"=>{"md5"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "sha1"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha256"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha512"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ssdeep"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"inode"=>{"ignore_above"=>1024, "type"=>"keyword"},
"mime_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"mode"=>{"ignore_above"=>1024, "type"=>"keyword"}, "mtime"=>{"type"=>"date"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}, "owner"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "path"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"pe"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024, "type"=>"keyword"},
"company"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"file_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"imphash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"original_file_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"product"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "size"=>{"type"=>"long"},
"target_path"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "uid"=>{"ignore_above"=>1024, "type"=>"keyword"},
"x509"=>{"properties"=>{"alternative_names"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "issuer"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"not_after"=>{"type"=>"date"}, "not_before"=>{"type"=>"date"},
"public_key_algorithm"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_curve"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_exponent"=>{"doc_values"=>false, "index"=>false, "type"=>"long"},
"public_key_size"=>{"type"=>"long"}, "serial_number"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "signature_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"subject"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"version_number"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}},
"host"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024, "type"=>"keyword"},
"cpu"=>{"properties"=>{"usage"=>{"scaling_factor"=>1000, "type"=>"scaled_float"}}},
"disk"=>{"properties"=>{"read"=>{"properties"=>{"bytes"=>{"type"=>"long"}}},
"write"=>{"properties"=>{"bytes"=>{"type"=>"long"}}}}},
"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"geo"=>{"properties"=>{"city_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"location"=>{"type"=>"geo_point"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "postal_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timezone"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"hostname"=>{"ignore_above"=>1024, "type"=>"keyword"}, "id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "ip"=>{"type"=>"ip"}, "mac"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"network"=>{"properties"=>{"egress"=>{"properties"=>{"bytes"=>{"type"=>"long"},
"packets"=>{"type"=>"long"}}},
"ingress"=>{"properties"=>{"bytes"=>{"type"=>"long"},
"packets"=>{"type"=>"long"}}}}},
"os"=>{"properties"=>{"family"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "kernel"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "platform"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}, "uptime"=>{"type"=>"long"}}},
"http"=>{"properties"=>{"request"=>{"properties"=>{"body"=>{"properties"=>{"bytes"=
>{"type"=>"long"}, "content"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"type"=>"wildcard"}}}, "bytes"=>{"type"=>"long"}, "id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "method"=>{"ignore_above"=>1024, "type"=>"keyword"},
"mime_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"referrer"=>{"ignore_above"=>1024,
"type"=>"keyword"}}},
"response"=>{"properties"=>{"body"=>{"properties"=>{"bytes"=>{"type"=>"long"},
"content"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "type"=>"wildcard"}}},
"bytes"=>{"type"=>"long"}, "mime_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"status_code"=>{"type"=>"long"}}}, "version"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "labels"=>{"type"=>"object"},
"log"=>{"properties"=>{"file"=>{"properties"=>{"path"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "level"=>{"ignore_above"=>1024, "type"=>"keyword"},
"logger"=>{"ignore_above"=>1024, "type"=>"keyword"},
"origin"=>{"properties"=>{"file"=>{"properties"=>{"line"=>{"type"=>"long"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"function"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"syslog"=>{"properties"=>{"facility"=>{"properties"=>{"code"=>{"type"=>"long"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "priority"=>{"type"=>"long"},
"severity"=>{"properties"=>{"code"=>{"type"=>"long"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}, "type"=>"object"}}},
"message"=>{"type"=>"match_only_text"},
"network"=>{"properties"=>{"application"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "bytes"=>{"type"=>"long"},
"community_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"direction"=>{"ignore_above"=>1024, "type"=>"keyword"},
"forwarded_ip"=>{"type"=>"ip"}, "iana_number"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"inner"=>{"properties"=>{"vlan"=>{"properties"=>{"id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"}}}},
"type"=>"object"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"packets"=>{"type"=>"long"}, "protocol"=>{"ignore_above"=>1024, "type"=>"keyword"},
"transport"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"vlan"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"observer"=>{"properties"=>{"egress"=>{"properties"=>{"interface"=>{"properties"=>{
"alias"=>{"ignore_above"=>1024, "type"=>"keyword"}, "id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"vlan"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "zone"=>{"ignore_above"=>1024,
"type"=>"keyword"}}, "type"=>"object"},
"geo"=>{"properties"=>{"city_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"location"=>{"type"=>"geo_point"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "postal_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timezone"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"hostname"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ingress"=>{"properties"=>{"interface"=>{"properties"=>{"alias"=>{"ignore_above"=>1
024, "type"=>"keyword"}, "id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"vlan"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "zone"=>{"ignore_above"=>1024,
"type"=>"keyword"}}, "type"=>"object"}, "ip"=>{"type"=>"ip"},
"mac"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "os"=>{"properties"=>{"family"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "full"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "kernel"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "platform"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"product"=>{"ignore_above"=>1024, "type"=>"keyword"},
"serial_number"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}, "vendor"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"orchestrator"=>{"properties"=>{"api_version"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "cluster"=>{"properties"=>{"name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "url"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"namespace"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"resource"=>{"properties"=>{"name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "organization"=>{"properties"=>{"id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}}},
"package"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "build_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"checksum"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"install_scope"=>{"ignore_above"=>1024, "type"=>"keyword"},
"installed"=>{"type"=>"date"}, "license"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"path"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reference"=>{"ignore_above"=>1024, "type"=>"keyword"}, "size"=>{"type"=>"long"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"process"=>{"properties"=>{"args"=>{"ignore_above"=>1024, "type"=>"keyword"},
"args_count"=>{"type"=>"long"},
"code_signature"=>{"properties"=>{"digest_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "exists"=>{"type"=>"boolean"},
"signing_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"status"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subject_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"team_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timestamp"=>{"type"=>"date"}, "trusted"=>{"type"=>"boolean"},
"valid"=>{"type"=>"boolean"}}},
"command_line"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"type"=>"wildcard"}, "elf"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "byte_order"=>{"ignore_above"=>1024, "type"=>"keyword"},
"cpu_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"creation_date"=>{"type"=>"date"}, "exports"=>{"type"=>"flattened"},
"header"=>{"properties"=>{"abi_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"class"=>{"ignore_above"=>1024, "type"=>"keyword"}, "data"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "entrypoint"=>{"type"=>"long"},
"object_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"os_abi"=>{"ignore_above"=>1024, "type"=>"keyword"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"imports"=>{"type"=>"flattened"},
"sections"=>{"properties"=>{"chi2"=>{"type"=>"long"}, "entropy"=>{"type"=>"long"},
"flags"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "physical_offset"=>{"ignore_above"=>1024, "type"=>"keyword"},
"physical_size"=>{"type"=>"long"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "virtual_address"=>{"type"=>"long"},
"virtual_size"=>{"type"=>"long"}}, "type"=>"nested"},
"segments"=>{"properties"=>{"sections"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}, "type"=>"nested"},
"shared_libraries"=>{"ignore_above"=>1024, "type"=>"keyword"},
"telfhash"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "end"=>{"type"=>"date"},
"entity_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"executable"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "exit_code"=>{"type"=>"long"},
"hash"=>{"properties"=>{"md5"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha1"=>{"ignore_above"=>1024, "type"=>"keyword"}, "sha256"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "sha512"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ssdeep"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "parent"=>{"properties"=>{"args"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "args_count"=>{"type"=>"long"},
"code_signature"=>{"properties"=>{"digest_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "exists"=>{"type"=>"boolean"},
"signing_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"status"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subject_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"team_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timestamp"=>{"type"=>"date"}, "trusted"=>{"type"=>"boolean"},
"valid"=>{"type"=>"boolean"}}},
"command_line"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"type"=>"wildcard"}, "elf"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "byte_order"=>{"ignore_above"=>1024, "type"=>"keyword"},
"cpu_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"creation_date"=>{"type"=>"date"}, "exports"=>{"type"=>"flattened"},
"header"=>{"properties"=>{"abi_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"class"=>{"ignore_above"=>1024, "type"=>"keyword"}, "data"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "entrypoint"=>{"type"=>"long"},
"object_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"os_abi"=>{"ignore_above"=>1024, "type"=>"keyword"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"imports"=>{"type"=>"flattened"},
"sections"=>{"properties"=>{"chi2"=>{"type"=>"long"}, "entropy"=>{"type"=>"long"},
"flags"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "physical_offset"=>{"ignore_above"=>1024, "type"=>"keyword"},
"physical_size"=>{"type"=>"long"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "virtual_address"=>{"type"=>"long"},
"virtual_size"=>{"type"=>"long"}}, "type"=>"nested"},
"segments"=>{"properties"=>{"sections"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}, "type"=>"nested"},
"shared_libraries"=>{"ignore_above"=>1024, "type"=>"keyword"},
"telfhash"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "end"=>{"type"=>"date"},
"entity_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"executable"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "exit_code"=>{"type"=>"long"},
"hash"=>{"properties"=>{"md5"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha1"=>{"ignore_above"=>1024, "type"=>"keyword"}, "sha256"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "sha512"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ssdeep"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "pe"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "company"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"file_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"imphash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"original_file_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"product"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "pgid"=>{"type"=>"long"},
"pid"=>{"type"=>"long"}, "start"=>{"type"=>"date"},
"thread"=>{"properties"=>{"id"=>{"type"=>"long"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "title"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "uptime"=>{"type"=>"long"},
"working_directory"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}}},
"pe"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024, "type"=>"keyword"},
"company"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"file_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"imphash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"original_file_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"product"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "pgid"=>{"type"=>"long"},
"pid"=>{"type"=>"long"}, "start"=>{"type"=>"date"},
"thread"=>{"properties"=>{"id"=>{"type"=>"long"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "title"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "uptime"=>{"type"=>"long"},
"working_directory"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}}},
"registry"=>{"properties"=>{"data"=>{"properties"=>{"bytes"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "strings"=>{"type"=>"wildcard"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hive"=>{"ignore_above"=>1024, "type"=>"keyword"},
"key"=>{"ignore_above"=>1024, "type"=>"keyword"}, "path"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "value"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"related"=>{"properties"=>{"hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"hosts"=>{"ignore_above"=>1024, "type"=>"keyword"}, "ip"=>{"type"=>"ip"},
"user"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"rule"=>{"properties"=>{"author"=>{"ignore_above"=>1024, "type"=>"keyword"},
"category"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "license"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reference"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ruleset"=>{"ignore_above"=>1024, "type"=>"keyword"},
"uuid"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"server"=>{"properties"=>{"address"=>{"ignore_above"=>1024, "type"=>"keyword"},
"as"=>{"properties"=>{"number"=>{"type"=>"long"},
"organization"=>{"properties"=>{"name"=>{"fields"=>{"text"=>{"type"=>"match_only_te
xt"}}, "ignore_above"=>1024, "type"=>"keyword"}}}}}, "bytes"=>{"type"=>"long"},
"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"geo"=>{"properties"=>{"city_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"location"=>{"type"=>"geo_point"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "postal_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timezone"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "ip"=>{"type"=>"ip"},
"mac"=>{"ignore_above"=>1024, "type"=>"keyword"},
"nat"=>{"properties"=>{"ip"=>{"type"=>"ip"}, "port"=>{"type"=>"long"}}},
"packets"=>{"type"=>"long"}, "port"=>{"type"=>"long"},
"registered_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subdomain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"top_level_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"user"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"email"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full_name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "roles"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"service"=>{"properties"=>{"address"=>{"ignore_above"=>1024, "type"=>"keyword"},
"environment"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ephemeral_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "node"=>{"properties"=>{"name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "origin"=>{"properties"=>{"address"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "environment"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ephemeral_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "node"=>{"properties"=>{"name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "state"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"state"=>{"ignore_above"=>1024, "type"=>"keyword"},
"target"=>{"properties"=>{"address"=>{"ignore_above"=>1024, "type"=>"keyword"},
"environment"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ephemeral_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "node"=>{"properties"=>{"name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "state"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"source"=>{"properties"=>{"address"=>{"ignore_above"=>1024, "type"=>"keyword"},
"as"=>{"properties"=>{"number"=>{"type"=>"long"},
"organization"=>{"properties"=>{"name"=>{"fields"=>{"text"=>{"type"=>"match_only_te
xt"}}, "ignore_above"=>1024, "type"=>"keyword"}}}}}, "bytes"=>{"type"=>"long"},
"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"geo"=>{"properties"=>{"city_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"location"=>{"type"=>"geo_point"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "postal_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timezone"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "ip"=>{"type"=>"ip"},
"mac"=>{"ignore_above"=>1024, "type"=>"keyword"},
"nat"=>{"properties"=>{"ip"=>{"type"=>"ip"}, "port"=>{"type"=>"long"}}},
"packets"=>{"type"=>"long"}, "port"=>{"type"=>"long"},
"registered_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subdomain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"top_level_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"user"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"email"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full_name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "roles"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"span"=>{"properties"=>{"id"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "tags"=>{"ignore_above"=>1024, "type"=>"keyword"},
"threat"=>{"properties"=>{"enrichments"=>{"properties"=>{"indicator"=>{"properties"
=>{"as"=>{"properties"=>{"number"=>{"type"=>"long"},
"organization"=>{"properties"=>{"name"=>{"fields"=>{"text"=>{"type"=>"match_only_te
xt"}}, "ignore_above"=>1024, "type"=>"keyword"}}}}},
"confidence"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"email"=>{"properties"=>{"address"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"file"=>{"properties"=>{"accessed"=>{"type"=>"date"},
"attributes"=>{"ignore_above"=>1024, "type"=>"keyword"},
"code_signature"=>{"properties"=>{"digest_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "exists"=>{"type"=>"boolean"},
"signing_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"status"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subject_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"team_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timestamp"=>{"type"=>"date"}, "trusted"=>{"type"=>"boolean"},
"valid"=>{"type"=>"boolean"}}}, "created"=>{"type"=>"date"},
"ctime"=>{"type"=>"date"}, "device"=>{"ignore_above"=>1024, "type"=>"keyword"},
"directory"=>{"ignore_above"=>1024, "type"=>"keyword"},
"drive_letter"=>{"ignore_above"=>1, "type"=>"keyword"},
"elf"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024, "type"=>"keyword"},
"byte_order"=>{"ignore_above"=>1024, "type"=>"keyword"},
"cpu_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"creation_date"=>{"type"=>"date"}, "exports"=>{"type"=>"flattened"},
"header"=>{"properties"=>{"abi_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"class"=>{"ignore_above"=>1024, "type"=>"keyword"}, "data"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "entrypoint"=>{"type"=>"long"},
"object_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"os_abi"=>{"ignore_above"=>1024, "type"=>"keyword"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"imports"=>{"type"=>"flattened"},
"sections"=>{"properties"=>{"chi2"=>{"type"=>"long"}, "entropy"=>{"type"=>"long"},
"flags"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "physical_offset"=>{"ignore_above"=>1024, "type"=>"keyword"},
"physical_size"=>{"type"=>"long"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "virtual_address"=>{"type"=>"long"},
"virtual_size"=>{"type"=>"long"}}, "type"=>"nested"},
"segments"=>{"properties"=>{"sections"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}, "type"=>"nested"},
"shared_libraries"=>{"ignore_above"=>1024, "type"=>"keyword"},
"telfhash"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"extension"=>{"ignore_above"=>1024, "type"=>"keyword"},
"fork_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"gid"=>{"ignore_above"=>1024, "type"=>"keyword"}, "group"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "hash"=>{"properties"=>{"md5"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "sha1"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha256"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha512"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ssdeep"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"inode"=>{"ignore_above"=>1024, "type"=>"keyword"},
"mime_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"mode"=>{"ignore_above"=>1024, "type"=>"keyword"}, "mtime"=>{"type"=>"date"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}, "owner"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "path"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"pe"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024, "type"=>"keyword"},
"company"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"file_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"imphash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"original_file_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"product"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "size"=>{"type"=>"long"},
"target_path"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "uid"=>{"ignore_above"=>1024, "type"=>"keyword"},
"x509"=>{"properties"=>{"alternative_names"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "issuer"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"not_after"=>{"type"=>"date"}, "not_before"=>{"type"=>"date"},
"public_key_algorithm"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_curve"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_exponent"=>{"doc_values"=>false, "index"=>false, "type"=>"long"},
"public_key_size"=>{"type"=>"long"}, "serial_number"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "signature_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"subject"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"version_number"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"first_seen"=>{"type"=>"date"},
"geo"=>{"properties"=>{"city_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"location"=>{"type"=>"geo_point"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "postal_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timezone"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "ip"=>{"type"=>"ip"},
"last_seen"=>{"type"=>"date"},
"marking"=>{"properties"=>{"tlp"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"modified_at"=>{"type"=>"date"}, "port"=>{"type"=>"long"},
"provider"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reference"=>{"ignore_above"=>1024, "type"=>"keyword"},
"registry"=>{"properties"=>{"data"=>{"properties"=>{"bytes"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "strings"=>{"type"=>"wildcard"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hive"=>{"ignore_above"=>1024, "type"=>"keyword"},
"key"=>{"ignore_above"=>1024, "type"=>"keyword"}, "path"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "value"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"scanner_stats"=>{"type"=>"long"}, "sightings"=>{"type"=>"long"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"url"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"extension"=>{"ignore_above"=>1024, "type"=>"keyword"},
"fragment"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "type"=>"wildcard"},
"original"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "type"=>"wildcard"},
"password"=>{"ignore_above"=>1024, "type"=>"keyword"},
"path"=>{"type"=>"wildcard"}, "port"=>{"type"=>"long"},
"query"=>{"ignore_above"=>1024, "type"=>"keyword"},
"registered_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"scheme"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subdomain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"top_level_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"username"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"x509"=>{"properties"=>{"alternative_names"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "issuer"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"not_after"=>{"type"=>"date"}, "not_before"=>{"type"=>"date"},
"public_key_algorithm"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_curve"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_exponent"=>{"doc_values"=>false, "index"=>false, "type"=>"long"},
"public_key_size"=>{"type"=>"long"}, "serial_number"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "signature_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"subject"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"version_number"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}, "type"=>"object"},
"matched"=>{"properties"=>{"atomic"=>{"ignore_above"=>1024, "type"=>"keyword"},
"field"=>{"ignore_above"=>1024, "type"=>"keyword"}, "id"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "index"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}, "type"=>"nested"},
"framework"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "group"=>{"properties"=>{"alias"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reference"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"indicator"=>{"properties"=>{"as"=>{"properties"=>{"number"=>{"type"=>"long"},
"organization"=>{"properties"=>{"name"=>{"fields"=>{"text"=>{"type"=>"match_only_te
xt"}}, "ignore_above"=>1024, "type"=>"keyword"}}}}},
"confidence"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"email"=>{"properties"=>{"address"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"file"=>{"properties"=>{"accessed"=>{"type"=>"date"},
"attributes"=>{"ignore_above"=>1024, "type"=>"keyword"},
"code_signature"=>{"properties"=>{"digest_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "exists"=>{"type"=>"boolean"},
"signing_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"status"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subject_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"team_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timestamp"=>{"type"=>"date"}, "trusted"=>{"type"=>"boolean"},
"valid"=>{"type"=>"boolean"}}}, "created"=>{"type"=>"date"},
"ctime"=>{"type"=>"date"}, "device"=>{"ignore_above"=>1024, "type"=>"keyword"},
"directory"=>{"ignore_above"=>1024, "type"=>"keyword"},
"drive_letter"=>{"ignore_above"=>1, "type"=>"keyword"},
"elf"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024, "type"=>"keyword"},
"byte_order"=>{"ignore_above"=>1024, "type"=>"keyword"},
"cpu_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"creation_date"=>{"type"=>"date"}, "exports"=>{"type"=>"flattened"},
"header"=>{"properties"=>{"abi_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"class"=>{"ignore_above"=>1024, "type"=>"keyword"}, "data"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "entrypoint"=>{"type"=>"long"},
"object_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"os_abi"=>{"ignore_above"=>1024, "type"=>"keyword"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"imports"=>{"type"=>"flattened"},
"sections"=>{"properties"=>{"chi2"=>{"type"=>"long"}, "entropy"=>{"type"=>"long"},
"flags"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "physical_offset"=>{"ignore_above"=>1024, "type"=>"keyword"},
"physical_size"=>{"type"=>"long"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "virtual_address"=>{"type"=>"long"},
"virtual_size"=>{"type"=>"long"}}, "type"=>"nested"},
"segments"=>{"properties"=>{"sections"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}, "type"=>"nested"},
"shared_libraries"=>{"ignore_above"=>1024, "type"=>"keyword"},
"telfhash"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"extension"=>{"ignore_above"=>1024, "type"=>"keyword"},
"fork_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"gid"=>{"ignore_above"=>1024, "type"=>"keyword"}, "group"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "hash"=>{"properties"=>{"md5"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "sha1"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha256"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha512"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ssdeep"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"inode"=>{"ignore_above"=>1024, "type"=>"keyword"},
"mime_type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"mode"=>{"ignore_above"=>1024, "type"=>"keyword"}, "mtime"=>{"type"=>"date"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"}, "owner"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "path"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"pe"=>{"properties"=>{"architecture"=>{"ignore_above"=>1024, "type"=>"keyword"},
"company"=>{"ignore_above"=>1024, "type"=>"keyword"},
"description"=>{"ignore_above"=>1024, "type"=>"keyword"},
"file_version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"imphash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"original_file_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"product"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "size"=>{"type"=>"long"},
"target_path"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "uid"=>{"ignore_above"=>1024, "type"=>"keyword"},
"x509"=>{"properties"=>{"alternative_names"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "issuer"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"not_after"=>{"type"=>"date"}, "not_before"=>{"type"=>"date"},
"public_key_algorithm"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_curve"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_exponent"=>{"doc_values"=>false, "index"=>false, "type"=>"long"},
"public_key_size"=>{"type"=>"long"}, "serial_number"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "signature_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"subject"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"version_number"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"first_seen"=>{"type"=>"date"},
"geo"=>{"properties"=>{"city_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"continent_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"country_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"location"=>{"type"=>"geo_point"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "postal_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_iso_code"=>{"ignore_above"=>1024, "type"=>"keyword"},
"region_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"timezone"=>{"ignore_above"=>1024, "type"=>"keyword"}}}, "ip"=>{"type"=>"ip"},
"last_seen"=>{"type"=>"date"},
"marking"=>{"properties"=>{"tlp"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"modified_at"=>{"type"=>"date"}, "port"=>{"type"=>"long"},
"provider"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reference"=>{"ignore_above"=>1024, "type"=>"keyword"},
"registry"=>{"properties"=>{"data"=>{"properties"=>{"bytes"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "strings"=>{"type"=>"wildcard"}, "type"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hive"=>{"ignore_above"=>1024, "type"=>"keyword"},
"key"=>{"ignore_above"=>1024, "type"=>"keyword"}, "path"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "value"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"scanner_stats"=>{"type"=>"long"}, "sightings"=>{"type"=>"long"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"url"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"extension"=>{"ignore_above"=>1024, "type"=>"keyword"},
"fragment"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "type"=>"wildcard"},
"original"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "type"=>"wildcard"},
"password"=>{"ignore_above"=>1024, "type"=>"keyword"},
"path"=>{"type"=>"wildcard"}, "port"=>{"type"=>"long"},
"query"=>{"ignore_above"=>1024, "type"=>"keyword"},
"registered_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"scheme"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subdomain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"top_level_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"username"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"x509"=>{"properties"=>{"alternative_names"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "issuer"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"not_after"=>{"type"=>"date"}, "not_before"=>{"type"=>"date"},
"public_key_algorithm"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_curve"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_exponent"=>{"doc_values"=>false, "index"=>false, "type"=>"long"},
"public_key_size"=>{"type"=>"long"}, "serial_number"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "signature_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"subject"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"version_number"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"software"=>{"properties"=>{"alias"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "platforms"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "reference"=>{"ignore_above"=>1024, "type"=>"keyword"},
"type"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"tactic"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reference"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"technique"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "reference"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subtechnique"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "reference"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}}}},
"tls"=>{"properties"=>{"cipher"=>{"ignore_above"=>1024, "type"=>"keyword"},
"client"=>{"properties"=>{"certificate"=>{"ignore_above"=>1024, "type"=>"keyword"},
"certificate_chain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"hash"=>{"properties"=>{"md5"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha1"=>{"ignore_above"=>1024, "type"=>"keyword"}, "sha256"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "issuer"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ja3"=>{"ignore_above"=>1024, "type"=>"keyword"}, "not_after"=>{"type"=>"date"},
"not_before"=>{"type"=>"date"}, "server_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "subject"=>{"ignore_above"=>1024, "type"=>"keyword"},
"supported_ciphers"=>{"ignore_above"=>1024, "type"=>"keyword"},
"x509"=>{"properties"=>{"alternative_names"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "issuer"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"not_after"=>{"type"=>"date"}, "not_before"=>{"type"=>"date"},
"public_key_algorithm"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_curve"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_exponent"=>{"doc_values"=>false, "index"=>false, "type"=>"long"},
"public_key_size"=>{"type"=>"long"}, "serial_number"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "signature_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"subject"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"version_number"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"curve"=>{"ignore_above"=>1024, "type"=>"keyword"},
"established"=>{"type"=>"boolean"}, "next_protocol"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "resumed"=>{"type"=>"boolean"},
"server"=>{"properties"=>{"certificate"=>{"ignore_above"=>1024, "type"=>"keyword"},
"certificate_chain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"hash"=>{"properties"=>{"md5"=>{"ignore_above"=>1024, "type"=>"keyword"},
"sha1"=>{"ignore_above"=>1024, "type"=>"keyword"}, "sha256"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "issuer"=>{"ignore_above"=>1024, "type"=>"keyword"},
"ja3s"=>{"ignore_above"=>1024, "type"=>"keyword"}, "not_after"=>{"type"=>"date"},
"not_before"=>{"type"=>"date"}, "subject"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"x509"=>{"properties"=>{"alternative_names"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "issuer"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"not_after"=>{"type"=>"date"}, "not_before"=>{"type"=>"date"},
"public_key_algorithm"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_curve"=>{"ignore_above"=>1024, "type"=>"keyword"},
"public_key_exponent"=>{"doc_values"=>false, "index"=>false, "type"=>"long"},
"public_key_size"=>{"type"=>"long"}, "serial_number"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "signature_algorithm"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"subject"=>{"properties"=>{"common_name"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "country"=>{"ignore_above"=>1024, "type"=>"keyword"},
"distinguished_name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"locality"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organization"=>{"ignore_above"=>1024, "type"=>"keyword"},
"organizational_unit"=>{"ignore_above"=>1024, "type"=>"keyword"},
"state_or_province"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"version_number"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version_protocol"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"trace"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"transaction"=>{"properties"=>{"id"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"url"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"extension"=>{"ignore_above"=>1024, "type"=>"keyword"},
"fragment"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "type"=>"wildcard"},
"original"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "type"=>"wildcard"},
"password"=>{"ignore_above"=>1024, "type"=>"keyword"},
"path"=>{"type"=>"wildcard"}, "port"=>{"type"=>"long"},
"query"=>{"ignore_above"=>1024, "type"=>"keyword"},
"registered_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"scheme"=>{"ignore_above"=>1024, "type"=>"keyword"},
"subdomain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"top_level_domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"username"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"user"=>{"properties"=>{"changes"=>{"properties"=>{"domain"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "email"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full_name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "roles"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"effective"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"email"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full_name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "roles"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"email"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full_name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "roles"=>{"ignore_above"=>1024, "type"=>"keyword"},
"target"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"email"=>{"ignore_above"=>1024, "type"=>"keyword"},
"full_name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"},
"group"=>{"properties"=>{"domain"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"}, "name"=>{"ignore_above"=>1024,
"type"=>"keyword"}}}, "hash"=>{"ignore_above"=>1024, "type"=>"keyword"},
"id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "roles"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}},
"user_agent"=>{"properties"=>{"device"=>{"properties"=>{"name"=>{"ignore_above"=>10
24, "type"=>"keyword"}}}, "name"=>{"ignore_above"=>1024, "type"=>"keyword"},
"original"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}}, "ignore_above"=>1024,
"type"=>"keyword"}, "os"=>{"properties"=>{"family"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "full"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "kernel"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "name"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "platform"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "type"=>{"ignore_above"=>1024, "type"=>"keyword"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"vulnerability"=>{"properties"=>{"category"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "classification"=>{"ignore_above"=>1024,
"type"=>"keyword"},
"description"=>{"fields"=>{"text"=>{"type"=>"match_only_text"}},
"ignore_above"=>1024, "type"=>"keyword"}, "enumeration"=>{"ignore_above"=>1024,
"type"=>"keyword"}, "id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"reference"=>{"ignore_above"=>1024, "type"=>"keyword"},
"report_id"=>{"ignore_above"=>1024, "type"=>"keyword"},
"scanner"=>{"properties"=>{"vendor"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"score"=>{"properties"=>{"base"=>{"type"=>"float"},
"environmental"=>{"type"=>"float"}, "temporal"=>{"type"=>"float"},
"version"=>{"ignore_above"=>1024, "type"=>"keyword"}}},
"severity"=>{"ignore_above"=>1024, "type"=>"keyword"}}}}}}, "priority"=>200,
"_meta"=>{"description"=>"ECS index template for logstash-output-elasticsearch"}}}
[2024-02-25T03:33:54,153][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Found existing Elasticsearch template, skipping template management
{:name=>"yokogawa-azure-waf"}
[2024-02-25T03:33:55,199][DEBUG][logstash.filters.geoip.downloadmanager] check
update {:endpoint=>"https://geoip.elastic.co/v1/database?key=4b3fec86-3509-494a-
8c9e-9d5e0ecb1b8c&elastic_geoip_service_tos=agree", :response=>200}
[2024-02-25T03:33:55,275][INFO ][logstash.filters.geoip.downloadmanager] new
database version detected? false
[2024-02-25T03:33:55,528][INFO ][logstash.filters.geoip.databasemanager]
[azure_waf_access] By not manually configuring a database path with `database =>`,
you accepted and agreed MaxMind EULA. For more details please visit
https://www.maxmind.com/en/geolite2/eula
[2024-02-25T03:33:55,546][INFO ][logstash.filters.geoip ][azure_waf_access] Using
geoip database
{:path=>"/var/lib/logstash/plugins/filters/geoip/1708831720/GeoLite2-City.mmdb"}
[2024-02-25T03:33:55,627][WARN ][logstash.javapipeline ][azure_waf_access]
'pipeline.ordered' is enabled and is likely less efficient, consider disabling if
preserving event order is not necessary
[2024-02-25T03:33:55,756][INFO ][logstash.javapipeline ][azure_waf_access]
Starting pipeline {:pipeline_id=>"azure_waf_access", "pipeline.workers"=>1,
"pipeline.batch.size"=>125, "pipeline.batch.delay"=>50,
"pipeline.max_inflight"=>125, "pipeline.sources"=>["/etc/logstash/conf.d/yhq-
azurewaf-accesslog.conf"], :thread=>"#<Thread:0x3de9cd2d
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:33:56,400][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:33:56,407][DEBUG]
[org.logstash.instrument.metrics.LazyInstantiatedFlowMetric] Inner FlowMetric lazy-
initialized for queue_persisted_growth_events
[2024-02-25T03:33:56,408][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:33:56,425][DEBUG]
[org.logstash.instrument.metrics.LazyInstantiatedFlowMetric] Inner FlowMetric lazy-
initialized for queue_persisted_growth_bytes
[2024-02-25T03:33:57,227][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline Java execution initialization time {"seconds"=>1.47}
[2024-02-25T03:33:57,273][DEBUG][logstash.inputs.azureeventhubs][azure_waf_access]
Exploded Event Hub configuration.
{:event_hubs_exploded=>"[{\"event_hubs\"=>[\"insights-logs-
applicationgatewayaccesslog\"], \"event_hub_connections\"=>[<password>], \"consumer
_group\"=>\"$Default\", \"type\"=>\"azure_waf\", \"initial_position\"=>\"end\", \"d
ecorate_events\"=>true, \"threads\"=>8, \"enable_metric\"=>true, \"codec\"=><LogSta
sh::Codecs::Plain id=>\"plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1\",
enable_metric=>true, charset=>\"UTF-
8\">, \"add_field\"=>{}, \"config_mode\"=>\"basic\", \"max_batch_size\"=>125, \"pre
fetch_count\"=>300, \"receive_timeout\"=>60, \"initial_position_look_back\"=>86400,
\"checkpoint_interval\"=>5}, {\"event_hubs\"=>[\"insights-logs-
applicationgatewayaccesslog\"], \"event_hub_connections\"=>[<password>], \"consumer
_group\"=>\"$Default\", \"type\"=>\"azure_waf\", \"initial_position\"=>\"end\", \"d
ecorate_events\"=>true, \"threads\"=>8, \"enable_metric\"=>true, \"codec\"=><LogSta
sh::Codecs::Plain id=>\"plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1\",
enable_metric=>true, charset=>\"UTF-
8\">, \"add_field\"=>{}, \"config_mode\"=>\"basic\", \"max_batch_size\"=>125, \"pre
fetch_count\"=>300, \"receive_timeout\"=>60, \"initial_position_look_back\"=>86400,
\"checkpoint_interval\"=>5}]"}
[2024-02-25T03:33:57,285][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline started {"pipeline.id"=>"azure_waf_access"}
[2024-02-25T03:33:57,304][DEBUG][logstash.javapipeline ] Pipeline started
successfully {:pipeline_id=>"azure_waf_access", :thread=>"#<Thread:0x3de9cd2d
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:33:57,307][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:33:57,383][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is initializing...
[2024-02-25T03:33:57,384][WARN ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] You have NOT
specified a `storage_connection_string` for insights-logs-
applicationgatewayaccesslog. This configuration is only supported for a single
Logstash instance.
[2024-02-25T03:33:57,400][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is initializing...
[2024-02-25T03:33:57,400][WARN ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] You have NOT
specified a `storage_connection_string` for insights-logs-
applicationgatewayaccesslog. This configuration is only supported for a single
Logstash instance.
[2024-02-25T03:33:57,403][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: New EventProcessorHost created.
[2024-02-25T03:33:57,403][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: New EventProcessorHost created.
[2024-02-25T03:33:57,431][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Configuring
Event Hub insights-logs-applicationgatewayaccesslog to read only new events.
[2024-02-25T03:33:57,440][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Configuring
Event Hub insights-logs-applicationgatewayaccesslog to read only new events.
[2024-02-25T03:33:57,443][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting event processing.
[2024-02-25T03:33:57,501][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting event processing.
[2024-02-25T03:33:57,525][INFO ][logstash.agent ] Pipelines running
{:count=>1, :running_pipelines=>[:azure_waf_access], :non_running_pipelines=>[]}
[2024-02-25T03:33:57,542][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_3373e7_1708832037501], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:33:57,542][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_05e877_1708832037473], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:33:57,545][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_3373e7_1708832037501] reactor.onReactorInit
[2024-02-25T03:33:57,552][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_05e877_1708832037473] reactor.onReactorInit
[2024-02-25T03:33:57,562][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_05e877_1708832037473]
[2024-02-25T03:33:57,570][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_05e877_1708832037473], errorCondition[null], errorDescription[null]
[2024-02-25T03:33:57,592][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_3373e7_1708832037501]
[2024-02-25T03:33:57,592][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_3373e7_1708832037501], errorCondition[null], errorDescription[null]
[2024-02-25T03:33:57,836][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_3373e7_1708832037501]
[2024-02-25T03:33:57,836][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_05e877_1708832037473]
[2024-02-25T03:33:58,086][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_3373e7_1708832037501],
remoteContainer[0dee7b6fd199487aaf6cf57bcbf9a09c_G22]
[2024-02-25T03:33:58,114][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_3373e7_1708832037501], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:33:58,124][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_05e877_1708832037473],
remoteContainer[2635ff2b72224bf3a5d013237fd6ff08_G31]
[2024-02-25T03:33:58,133][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_05e877_1708832037473], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:33:58,134][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_3373e7_1708832037501], entityName[mgmt-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:33:58,134][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_05e877_1708832037473], entityName[mgmt-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:33:58,144][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[mgmt], linkName[mgmt:sender], localTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:33:58,144][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[mgmt], linkName[mgmt:receiver],
localSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,151][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[mgmt], linkName[mgmt:sender], localTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:33:58,152][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[mgmt], linkName[mgmt:receiver],
localSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,154][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_3373e7_1708832037501], entityName[mgmt-
session], sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:33:58,154][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[mgmt], linkName[mgmt:sender], remoteTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:33:58,154][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[mgmt], linkName[mgmt:sender], unsettled[0], credit[100]
[2024-02-25T03:33:58,154][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[mgmt], linkName[mgmt:receiver],
remoteSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,157][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_05e877_1708832037473], entityName[mgmt-
session], sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:33:58,158][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[mgmt], linkName[mgmt:sender], remoteTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:33:58,158][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[mgmt], linkName[mgmt:sender], unsettled[0], credit[100]
[2024-02-25T03:33:58,158][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[mgmt], linkName[mgmt:receiver],
remoteSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,172][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_3373e7_1708832037501],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:33:58,173][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[mgmt], linkName[mgmt:sender], unsettled[1], credit[99]
[2024-02-25T03:33:58,177][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_05e877_1708832037473],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:33:58,178][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[mgmt], linkName[mgmt:sender], unsettled[1], credit[99]
[2024-02-25T03:33:58,181][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Eventhub insights-logs-
applicationgatewayaccesslog count of partitions: 4
[2024-02-25T03:33:58,182][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Found partition with id: 0
[2024-02-25T03:33:58,182][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Found partition with id: 1
[2024-02-25T03:33:58,187][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Found partition with id: 2
[2024-02-25T03:33:58,187][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Found partition with id: 3
[2024-02-25T03:33:58,187][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_88537a_1708832037454]
[2024-02-25T03:33:58,187][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_05e877_1708832037473]
[2024-02-25T03:33:58,190][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_05e877_1708832037473], errorCondition[null], errorDescription[null]
[2024-02-25T03:33:58,198][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,198][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,198][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,198][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[mgmt-session],
entityName[MF_05e877_1708832037473], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:33:58,191][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: createLeaseStoreIfNotExists()
[2024-02-25T03:33:58,201][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: createCheckpointStoreIfNotExists()
[2024-02-25T03:33:58,202][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: createLeaseIfNotExists() creating new
lease
[2024-02-25T03:33:58,203][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 1: createLeaseIfNotExists() creating new
lease
[2024-02-25T03:33:58,203][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: createLeaseIfNotExists() creating new
lease
[2024-02-25T03:33:58,203][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 3: createLeaseIfNotExists() creating new
lease
[2024-02-25T03:33:58,203][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: createCheckpointIfNotExists() creating new
checkpoint
[2024-02-25T03:33:58,203][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 1: createCheckpointIfNotExists() creating new
checkpoint
[2024-02-25T03:33:58,204][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: createCheckpointIfNotExists() creating new
checkpoint
[2024-02-25T03:33:58,204][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 3: createCheckpointIfNotExists() creating new
checkpoint
[2024-02-25T03:33:58,204][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner first pass
[2024-02-25T03:33:58,207][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:33:58,209][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
expired -1708832038209
[2024-02-25T03:33:58,209][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
expired -1708832038209
[2024-02-25T03:33:58,209][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
expired -1708832038209
[2024-02-25T03:33:58,209][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
expired -1708832038209
[2024-02-25T03:33:58,211][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,211][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,211][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,211][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,212][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_05e877_1708832037473],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:33:58,212][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_05e877_1708832037473], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[mgmtChannel closed]
[2024-02-25T03:33:58,217][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:33:58,217][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: -1 Rotating leases to start at
2
[2024-02-25T03:33:58,217][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 1 Desired owned count is 1
[2024-02-25T03:33:58,217][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 0 leasesOwnedByOthers 0
unowned 4
[2024-02-25T03:33:58,217][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '2'[0] need 1
[2024-02-25T03:33:58,217][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Finding expired leases from '2'[0] up to
'3'[1]
[2024-02-25T03:33:58,218][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Found in range: 1
[2024-02-25T03:33:58,220][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: getLease()
[2024-02-25T03:33:58,223][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: acquireLease()
[2024-02-25T03:33:58,223][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
expired -1708832038223
[2024-02-25T03:33:58,223][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: acquireLease() acquired lease
[2024-02-25T03:33:58,223][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_05e877_1708832037473],
errorCondition[null], errorDescription[null]
[2024-02-25T03:33:58,223][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_05e877_1708832037473], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:33:58,224][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_05e877_1708832037473], error[n/a]
[2024-02-25T03:33:58,224][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_05e877_1708832037473], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:33:58,224][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_05e877_1708832037473], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:33:58,224][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_05e877_1708832037473], entityName[mgmt-session], condition[null],
description[null]
[2024-02-25T03:33:58,224][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_05e877_1708832037473], errorCondition[null], errorDescription[null]
[2024-02-25T03:33:58,225][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_05e877_1708832037473], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:33:58,233][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Eventhub insights-logs-
applicationgatewayaccesslog count of partitions: 4
[2024-02-25T03:33:58,234][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found partition with id: 0
[2024-02-25T03:33:58,234][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found partition with id: 1
[2024-02-25T03:33:58,235][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found partition with id: 2
[2024-02-25T03:33:58,235][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found partition with id: 3
[2024-02-25T03:33:58,242][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: createLeaseStoreIfNotExists()
[2024-02-25T03:33:58,227][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Acquired unowned/expired
[2024-02-25T03:33:58,242][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: creating new pump
[2024-02-25T03:33:58,255][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Creating and opening event processor
instance
[2024-02-25T03:33:58,256][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: createCheckpointStoreIfNotExists()
[2024-02-25T03:33:58,267][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: createLeaseIfNotExists() found existing
lease, OK
[2024-02-25T03:33:58,267][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: createLeaseIfNotExists() found existing
lease, OK
[2024-02-25T03:33:58,267][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 2: createLeaseIfNotExists() found existing
lease, OK
[2024-02-25T03:33:58,267][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: createLeaseIfNotExists() found existing
lease, OK
[2024-02-25T03:33:58,267][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: createCheckpointIfNotExists() found
existing checkpoint, OK
[2024-02-25T03:33:58,267][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: createCheckpointIfNotExists() found
existing checkpoint, OK
[2024-02-25T03:33:58,267][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 2: createCheckpointIfNotExists() found
existing checkpoint, OK
[2024-02-25T03:33:58,267][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: createCheckpointIfNotExists() found
existing checkpoint, OK
[2024-02-25T03:33:58,268][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner first pass
[2024-02-25T03:33:58,268][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
registration complete. {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:33:58,268][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:33:58,268][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
expired -1708832038268
[2024-02-25T03:33:58,268][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
expired -1708832038268
[2024-02-25T03:33:58,268][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 29955
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
expired -1708832038269
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: -1 Rotating leases to start at
3
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 1
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 0 leasesOwnedByOthers 1
unowned 3
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '3'[0] need 1
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Finding expired leases from '3'[0] up to
'0'[1]
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found in range: 1
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: getLease()
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: acquireLease()
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
expired -1708832038269
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: acquireLease() acquired lease
[2024-02-25T03:33:58,269][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Acquired unowned/expired
[2024-02-25T03:33:58,269][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: creating new pump
[2024-02-25T03:33:58,269][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Creating and opening event processor
instance
[2024-02-25T03:33:58,235][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_f28190_1708832037501]
[2024-02-25T03:33:58,272][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_3373e7_1708832037501]
[2024-02-25T03:33:58,272][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '0'[1] need 0
[2024-02-25T03:33:58,272][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:33:58,272][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 4
[2024-02-25T03:33:58,272][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 30
[2024-02-25T03:33:58,273][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_3373e7_1708832037501], errorCondition[null], errorDescription[null]
[2024-02-25T03:33:58,273][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,273][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,273][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,273][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[mgmt-session],
entityName[MF_3373e7_1708832037501], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:33:58,258][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
registration complete. {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:33:58,274][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub is
processing events... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:33:58,257][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '3'[1] need 0
[2024-02-25T03:33:58,275][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:33:58,292][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 85
[2024-02-25T03:33:58,292][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 30
[2024-02-25T03:33:58,287][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub is
processing events... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:33:58,276][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,293][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,293][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,293][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:33:58,293][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_3373e7_1708832037501],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:33:58,293][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_3373e7_1708832037501], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[mgmtChannel closed]
[2024-02-25T03:33:58,293][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_3373e7_1708832037501],
errorCondition[null], errorDescription[null]
[2024-02-25T03:33:58,293][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_3373e7_1708832037501], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:33:58,293][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_3373e7_1708832037501], error[n/a]
[2024-02-25T03:33:58,293][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_3373e7_1708832037501], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:33:58,294][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_3373e7_1708832037501], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:33:58,294][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_3373e7_1708832037501], entityName[mgmt-session], condition[null],
description[null]
[2024-02-25T03:33:58,294][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_3373e7_1708832037501], errorCondition[null], errorDescription[null]
[2024-02-25T03:33:58,294][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_3373e7_1708832037501], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:33:58,329][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@id = "plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1"
[2024-02-25T03:33:58,329][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@enable_metric = true
[2024-02-25T03:33:58,329][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@charset = "UTF-8"
[2024-02-25T03:33:58,343][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@id = "plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1"
[2024-02-25T03:33:58,344][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@enable_metric = true
[2024-02-25T03:33:58,344][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@charset = "UTF-8"
[2024-02-25T03:33:58,363][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is opening.
[2024-02-25T03:33:58,363][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Opening EH client
[2024-02-25T03:33:58,364][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_1e7a59_1708832038364], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:33:58,365][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_1e7a59_1708832038364] reactor.onReactorInit
[2024-02-25T03:33:58,365][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_1e7a59_1708832038364]
[2024-02-25T03:33:58,373][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_1e7a59_1708832038364], errorCondition[null], errorDescription[null]
[2024-02-25T03:33:58,375][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_1e7a59_1708832038364]
[2024-02-25T03:33:58,364][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is opening.
[2024-02-25T03:33:58,383][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Opening EH client
[2024-02-25T03:33:58,384][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_00b33c_1708832038383], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:33:58,384][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_00b33c_1708832038383] reactor.onReactorInit
[2024-02-25T03:33:58,384][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_00b33c_1708832038383]
[2024-02-25T03:33:58,384][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_00b33c_1708832038383], errorCondition[null], errorDescription[null]
[2024-02-25T03:33:58,392][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_00b33c_1708832038383]
[2024-02-25T03:33:58,462][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_1e7a59_1708832038364],
remoteContainer[4b33cce5bf1a485ca8cbeb4ac8571634_G17]
[2024-02-25T03:33:58,463][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: getCheckpoint() uninitalized
[2024-02-25T03:33:58,463][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Calling user-provided initial position
provider
[2024-02-25T03:33:58,465][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:33:58,465][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:33:58,473][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_00b33c_1708832038383],
remoteContainer[5524d93dbdef4c24a035bd29c242dc7f_G9]
[2024-02-25T03:33:58,475][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: getCheckpoint() uninitalized
[2024-02-25T03:33:58,475][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Calling user-provided initial position
provider
[2024-02-25T03:33:58,475][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:33:58,475][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:33:58,503][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:33:58,504][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:33:58,513][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_1e7a59_1708832038364], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:33:58,514][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_1e7a59_1708832038364], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:33:58,515][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:33:58,515][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,513][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_00b33c_1708832038383], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:33:58,516][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_00b33c_1708832038383], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:33:58,516][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:33:58,516][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,524][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_00b33c_1708832038383], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:33:58,524][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:33:58,524][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[0], credit[100]
[2024-02-25T03:33:58,524][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,525][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_00b33c_1708832038383],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:33:58,525][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[99]
[2024-02-25T03:33:58,533][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_1e7a59_1708832038364], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:33:58,533][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:33:58,533][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[0], credit[100]
[2024-02-25T03:33:58,533][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,534][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_1e7a59_1708832038364],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:33:58,535][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[99]
[2024-02-25T03:33:58,536][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_00b33c_1708832038383], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:33:58,536][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_00b33c_1708832038383], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:33:58,544][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_00b33c_1708832038383], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:33:58,544][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:33:58,545][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
linkName[LN_c22bd3_1708832038545_dc7f_G9], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,564][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_1e7a59_1708832038364], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:33:58,566][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_1e7a59_1708832038364], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:33:58,566][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
linkName[LN_c22bd3_1708832038545_dc7f_G9], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@11a4718
8}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,573][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], linkName[LN_c22bd3_1708832038545_dc7f_G9], updated-link-credit[300],
sentCredits[300], ThreadId[41]
[2024-02-25T03:33:58,573][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], linkName[LN_c22bd3_1708832038545_dc7f_G9], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:33:58,573][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: EH client and receiver creation finished
[2024-02-25T03:33:58,575][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_1e7a59_1708832038364], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:33:58,575][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:33:58,575][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
linkName[LN_163586_1708832038575_634_G17], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,584][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:33:58.584711564Z], remaining: [60] secs
[2024-02-25T03:33:58,586][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:33:58,596][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
linkName[LN_163586_1708832038575_634_G17], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@2095ac5
b}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:33:58,605][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: EH client and receiver creation finished
[2024-02-25T03:33:58,605][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - schedule operation timer, current:
[2024-02-25T03:33:58.605910017Z], remaining: [60] secs
[2024-02-25T03:33:58,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:33:58,597][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], linkName[LN_163586_1708832038575_634_G17], updated-link-credit[300],
sentCredits[300], ThreadId[47]
[2024-02-25T03:33:58,607][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], linkName[LN_163586_1708832038575_634_G17], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:34:00,781][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:00,782][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:00,849][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:01,448][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:01,449][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:03,744][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:03,745][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:03,764][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:06,463][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:06,464][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:06,735][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:06,736][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:06,748][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:08,586][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:34:08,586][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:34:08,587][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:34:08,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:34:08,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:34:08,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:34:09,739][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:09,740][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:09,755][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:11,471][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:11,471][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:12,737][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:12,738][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:12,749][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:15,727][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:15,735][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:15,745][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:16,479][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:16,479][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:18,587][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:34:18,587][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:34:18,587][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:34:18,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:34:18,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:34:18,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:34:18,726][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:18,727][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:18,736][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:21,493][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:21,493][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:21,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:21,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:21,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:24,727][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:24,727][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:24,737][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:26,458][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.006153092S`)
[2024-02-25T03:34:26,466][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.014451169S`)
[2024-02-25T03:34:26,466][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.014593272S`)
[2024-02-25T03:34:26,509][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:26,510][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:27,120][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:34:27,307][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:27,483][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313425944//1261831
[2024-02-25T03:34:27,490][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313425944//1261831
[2024-02-25T03:34:27,492][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 3019 bytes.
[2024-02-25T03:34:27,492][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - schedule operation timer, current:
[2024-02-25T03:34:27.492720713Z], remaining: [60] secs
[2024-02-25T03:34:27,754][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:27,772][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:27,725][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:34:27.178001589Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:33:55+00:00\", \"time\": \"2024-02-25T03:33:55+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.7\",\"clientPort\":42678,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&spa
ce=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":383,\"sentBytes\":509,\"connectionSerialNumber\":509771,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"51f30c8477b926
ee91873705d6ca3061\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:33:59+00:00\", \"time\": \"2024-02-
25T03:33:59+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.1\",\"clientPort\":7228,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":508,\"connectionSerialNumber\":509772,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"507685a84f4aa7
200b41184834f17966\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:33:55+00:00\", \"time\": \"2024-02-
25T03:33:55+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.7\",\"clientPort\":42678,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&spa
ce=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":383,\"sentBytes\":509,\"connectionSerialNumber\":509771,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"51f30c8477b926
ee91873705d6ca3061\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:33:59+00:00\", \"time\": \"2024-02-
25T03:33:59+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.1\",\"clientPort\":7228,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":508,\"connectionSerialNumber\":509772,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"507685a84f4aa7
200b41184834f17966\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:34:27,834][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:27,848][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:33:55+00:00", "timeStamp"=>"2024-02-25T03:33:55+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>42678, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"51f30c8477b926ee91873705d6ca3061",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&space=45",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.7",
"httpStatus"=>301, "sentBytes"=>509,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509771, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>383,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&space=45",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:33:59+00:00", "timeStamp"=>"2024-02-25T03:33:59+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>7228, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"507685a84f4aa7200b41184834f17966",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.1",
"httpStatus"=>301, "sentBytes"=>508,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509772, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>382,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:34:27.178001589Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:33:55+00:00\", \"time\": \"2024-02-25T03:33:55+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.7\",\"clientPort\":42678,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&spa
ce=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":383,\"sentBytes\":509,\"connectionSerialNumber\":509771,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"51f30c8477b926
ee91873705d6ca3061\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:33:59+00:00\", \"time\": \"2024-02-
25T03:33:59+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.1\",\"clientPort\":7228,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":508,\"connectionSerialNumber\":509772,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"507685a84f4aa7
200b41184834f17966\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:33:55+00:00\", \"time\": \"2024-02-
25T03:33:55+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.7\",\"clientPort\":42678,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&spa
ce=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":383,\"sentBytes\":509,\"connectionSerialNumber\":509771,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"51f30c8477b926
ee91873705d6ca3061\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:33:59+00:00\", \"time\": \"2024-02-
25T03:33:59+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.1\",\"clientPort\":7228,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":508,\"connectionSerialNumber\":509772,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"507685a84f4aa7
200b41184834f17966\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\"
:\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\
"rep.jp.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:34:27,968][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:33:55+00:00", "timeStamp"=>"2024-02-
25T03:33:55+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>42678, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"51f30c8477b926ee91873705d6ca3061", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&space=45",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.7",
"httpStatus"=>301, "sentBytes"=>509,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509771, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>383,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=9024&mode=al2&namber=5789364&no=0&page=0&rev=1&space=45",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:34:27,988][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:33:59+00:00", "timeStamp"=>"2024-02-
25T03:33:59+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>7228, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"507685a84f4aa7200b41184834f17966", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.1",
"httpStatus"=>301, "sentBytes"=>508,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509772, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>382,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:34:28,278][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:34:28,278][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
expired -1708832068278
[2024-02-25T03:34:28,278][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
expired -1708832068278
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20300
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20320
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 1 leasesOwnedByOthers 1
unowned 2
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 1
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Finding expired leases from '2'[0] up to
'3'[1]
[2024-02-25T03:34:28,287][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found in range: 0
[2024-02-25T03:34:28,288][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '3'[1] need 1
[2024-02-25T03:34:28,288][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Finding expired leases from '3'[1] up to
'0'[2]
[2024-02-25T03:34:28,288][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found in range: 0
[2024-02-25T03:34:28,296][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:34:28,296][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
expired -1708832068296
[2024-02-25T03:34:28,296][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
expired -1708832068296
[2024-02-25T03:34:28,296][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20291
[2024-02-25T03:34:28,296][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20311
[2024-02-25T03:34:28,297][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '0'[2] need 1
[2024-02-25T03:34:28,297][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Finding expired leases from '0'[2] up to
'1'[3]
[2024-02-25T03:34:28,297][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found in range: 1
[2024-02-25T03:34:28,297][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:28,297][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:34:28,297][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:28,298][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 1 leasesOwnedByOthers 1
unowned 2
[2024-02-25T03:34:28,298][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 1
[2024-02-25T03:34:28,298][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Finding expired leases from '0'[0] up to
'1'[1]
[2024-02-25T03:34:28,298][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Found in range: 1
[2024-02-25T03:34:28,298][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: getLease()
[2024-02-25T03:34:28,305][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: getLease()
[2024-02-25T03:34:28,306][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: acquireLease()
[2024-02-25T03:34:28,306][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
expired -1708832068306
[2024-02-25T03:34:28,306][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: acquireLease() acquired lease
[2024-02-25T03:34:28,306][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: acquireLease()
[2024-02-25T03:34:28,306][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 30000
[2024-02-25T03:34:28,306][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: acquireLease() stole lease from logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6
[2024-02-25T03:34:28,307][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Acquired unowned/expired
[2024-02-25T03:34:28,307][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: creating new pump
[2024-02-25T03:34:28,314][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Creating and opening event processor
instance
[2024-02-25T03:34:28,307][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Acquired unowned/expired
[2024-02-25T03:34:28,326][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '1'[3] need 0
[2024-02-25T03:34:28,326][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:28,335][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: creating new pump
[2024-02-25T03:34:28,346][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Creating and opening event processor
instance
[2024-02-25T03:34:28,347][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '1'[1] need 0
[2024-02-25T03:34:28,348][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:28,348][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@id = "plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1"
[2024-02-25T03:34:28,340][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 62
[2024-02-25T03:34:28,348][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:34:28,348][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 52
[2024-02-25T03:34:28,348][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:34:28,345][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@id = "plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1"
[2024-02-25T03:34:28,356][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@enable_metric = true
[2024-02-25T03:34:28,356][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@charset = "UTF-8"
[2024-02-25T03:34:28,348][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@enable_metric = true
[2024-02-25T03:34:28,357][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@charset = "UTF-8"
[2024-02-25T03:34:28,365][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is opening.
[2024-02-25T03:34:28,365][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Opening EH client
[2024-02-25T03:34:28,367][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_dea4fe_1708832068367], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:34:28,366][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is opening.
[2024-02-25T03:34:28,375][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Opening EH client
[2024-02-25T03:34:28,377][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_de12bf_1708832068377], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:34:28,377][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_de12bf_1708832068377] reactor.onReactorInit
[2024-02-25T03:34:28,385][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_de12bf_1708832068377]
[2024-02-25T03:34:28,385][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_de12bf_1708832068377], errorCondition[null], errorDescription[null]
[2024-02-25T03:34:28,386][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_de12bf_1708832068377]
[2024-02-25T03:34:28,388][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_dea4fe_1708832068367] reactor.onReactorInit
[2024-02-25T03:34:28,388][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_dea4fe_1708832068367]
[2024-02-25T03:34:28,388][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_dea4fe_1708832068367], errorCondition[null], errorDescription[null]
[2024-02-25T03:34:28,415][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_dea4fe_1708832068367]
[2024-02-25T03:34:28,580][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_de12bf_1708832068377],
remoteContainer[8c430f54cd3e424d9acf5479afe7ad90_G21]
[2024-02-25T03:34:28,570][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_dea4fe_1708832068367],
remoteContainer[3bb97820beda43f7a42712dc1b8ade07_G30]
[2024-02-25T03:34:28,588][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:34:28,589][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:34:28,589][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: getCheckpoint() uninitalized
[2024-02-25T03:34:28,589][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Calling user-provided initial position
provider
[2024-02-25T03:34:28,589][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:34:28,589][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:34:28,589][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:34:28,588][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: getCheckpoint() uninitalized
[2024-02-25T03:34:28,597][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Calling user-provided initial position
provider
[2024-02-25T03:34:28,597][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:34:28,598][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:34:28,597][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:34:28,598][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_dea4fe_1708832068367], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:34:28,598][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_dea4fe_1708832068367], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:34:28,599][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:34:28,599][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:28,600][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:34:28,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:34:28,608][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:34:28,608][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_dea4fe_1708832068367], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:34:28,608][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:34:28,608][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[0], credit[100]
[2024-02-25T03:34:28,608][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:28,608][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_dea4fe_1708832068367],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:34:28,609][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[99]
[2024-02-25T03:34:28,609][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:34:28,609][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_de12bf_1708832068377], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:34:28,610][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_de12bf_1708832068377], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:34:28,617][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_dea4fe_1708832068367], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:34:28,618][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_dea4fe_1708832068367], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:34:28,619][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:34:28,619][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:28,620][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_dea4fe_1708832068367], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:34:28,620][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:34:28,627][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
linkName[LN_f9801c_1708832068620_e07_G30], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:34:28,629][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_de12bf_1708832068377], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:34:28,629][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:34:28,629][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[0], credit[100]
[2024-02-25T03:34:28,629][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:28,630][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_de12bf_1708832068377],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:34:28,630][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[99]
[2024-02-25T03:34:28,638][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_de12bf_1708832068377], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:34:28,638][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_de12bf_1708832068377], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:34:28,640][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_de12bf_1708832068377], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:34:28,640][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:34:28,640][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
linkName[LN_2e18ae_1708832068640_d90_G21], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:34:28,648][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
linkName[LN_2e18ae_1708832068640_d90_G21], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@7bcce0b
7}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:28,648][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], linkName[LN_2e18ae_1708832068640_d90_G21], updated-link-credit[300],
sentCredits[300], ThreadId[41]
[2024-02-25T03:34:28,648][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], linkName[LN_2e18ae_1708832068640_d90_G21], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:34:28,649][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: EH client and receiver creation finished
[2024-02-25T03:34:28,649][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_2e18ae_1708832068640_d90_G21] - schedule operation timer, current:
[2024-02-25T03:34:28.649335625Z], remaining: [60] secs
[2024-02-25T03:34:28,649][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: scheduling leaseRenewer in 10
[2024-02-25T03:34:28,657][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
linkName[LN_f9801c_1708832068620_e07_G30], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@37ab7be
e}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:28,657][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], linkName[LN_f9801c_1708832068620_e07_G30], updated-link-credit[300],
sentCredits[300], ThreadId[47]
[2024-02-25T03:34:28,657][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], linkName[LN_f9801c_1708832068620_e07_G30], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:34:28,658][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: EH client and receiver creation finished
[2024-02-25T03:34:28,658][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - schedule operation timer, current:
[2024-02-25T03:34:28.658225415Z], remaining: [60] secs
[2024-02-25T03:34:28,658][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:34:28,800][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>17105, :content_length=>2066, :batch_offset=>0}
[2024-02-25T03:34:30,735][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:30,736][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:30,766][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:31,079][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is processing a batch of
size 1.
[2024-02-25T03:34:31,085][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Saving checkpoint: 1533306928384//1261812
[2024-02-25T03:34:31,085][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: updateCheckpoint() 1533306928384//1261812
[2024-02-25T03:34:31,085][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 finished processing a batch
of 3436 bytes.
[2024-02-25T03:34:31,085][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_2e18ae_1708832068640_d90_G21] - schedule operation timer, current:
[2024-02-25T03:34:31.085570178Z], remaining: [60] secs
[2024-02-25T03:34:31,136][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:34:31.083880542Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:03+00:00\", \"time\": \"2024-02-25T03:34:03+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.11\",\"clientPort\":27342,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":7827,\"connectionSerialNumber\":509774,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.004,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"88415ba40e5287398d64d93ed1e66824\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"27556\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:34:09+00:00\", \"time\": \"2024-02-25T03:34:09+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"24.249.199.12\",\"clientPort\":54368,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0&quot;&gt;male\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0&quot;&gt;male\",\"userAgen
t\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":595,\"sentBytes\":496,\"connectionSerialNumber\":509793,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9b93ff83736bf4
b039da2cea895b79ae\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:34:03+00:00\", \"time\": \"2024-02-
25T03:34:03+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.11\",\"clientPort\":27342,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":7827,\"connectionSerialNumber\":509774,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.004,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"88415ba40e5287398d64d93ed1e66824\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"27556\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:34:09+00:00\", \"time\": \"2024-02-25T03:34:09+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"24.249.199.12\",\"clientPort\":54368,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0&quot;&gt;male\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0&quot;&gt;male\",\"userAgen
t\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":595,\"sentBytes\":496,\"connectionSerialNumber\":509793,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9b93ff83736bf4
b039da2cea895b79ae\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:34:31,145][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:34:03+00:00", "timeStamp"=>"2024-02-25T03:34:03+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>27342,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.63e-1,
"transactionId"=>"88415ba40e5287398d64d93ed1e66824", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"185.191.171.11",
"httpStatus"=>200, "sentBytes"=>7827,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509774, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>382,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.4e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"27556",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:34:09+00:00",
"timeStamp"=>"2024-02-25T03:34:09+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>54368, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"9b93ff83736bf4b039da2cea895b79ae",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0&quot;&gt;male", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"24.249.199.12", "httpStatus"=>301,
"sentBytes"=>496, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509793, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>595,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&namber=41284&no=0&quot;&gt;male",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:34:31.083880542Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:03+00:00\", \"time\": \"2024-02-25T03:34:03+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.11\",\"clientPort\":27342,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":7827,\"connectionSerialNumber\":509774,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.004,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"88415ba40e5287398d64d93ed1e66824\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"27556\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:34:09+00:00\", \"time\": \"2024-02-25T03:34:09+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"24.249.199.12\",\"clientPort\":54368,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0&quot;&gt;male\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0&quot;&gt;male\",\"userAgen
t\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":595,\"sentBytes\":496,\"connectionSerialNumber\":509793,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9b93ff83736bf4
b039da2cea895b79ae\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:34:03+00:00\", \"time\": \"2024-02-
25T03:34:03+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.11\",\"clientPort\":27342,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=45\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":7827,\"connectionSerialNumber\":509774,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.004,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"88415ba40e5287398d64d93ed1e66824\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"27556\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:34:09+00:00\", \"time\": \"2024-02-25T03:34:09+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\",
\"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"24.249.199.12\",\"clientPort\":54368,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0&quot;&gt;male\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0&quot;&gt;male\",\"userAgen
t\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":595,\"sentBytes\":496,\"connectionSerialNumber\":509793,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9b93ff83736bf4
b039da2cea895b79ae\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:34:31,148][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:34:03+00:00", "timeStamp"=>"2024-02-
25T03:34:03+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>27342,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.63e-1,
"transactionId"=>"88415ba40e5287398d64d93ed1e66824", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"185.191.171.11",
"httpStatus"=>200, "sentBytes"=>7827,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509774, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>382,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=30944&mode=al2&namber=41284&no=0&page=0&rev=1&space=45",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.4e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"27556",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:34:31,155][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:34:09+00:00", "timeStamp"=>"2024-02-
25T03:34:09+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>54368, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"9b93ff83736bf4b039da2cea895b79ae", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0&quot;&gt;male", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"24.249.199.12", "httpStatus"=>301,
"sentBytes"=>496, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509793, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>595,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&namber=41284&no=0&quot;&gt;male",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:34:31,186][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>19372, :content_length=>3004, :batch_offset=>0}
[2024-02-25T03:34:31,469][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.014303566S`)
[2024-02-25T03:34:31,469][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.014676974S`)
[2024-02-25T03:34:31,469][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.014808577S`)
[2024-02-25T03:34:31,469][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.01497858S`)
[2024-02-25T03:34:31,470][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.015106683S`)
[2024-02-25T03:34:31,470][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.015222085S`)
[2024-02-25T03:34:31,470][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.015361989S`)
[2024-02-25T03:34:31,470][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.015486091S`)
[2024-02-25T03:34:31,470][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.015579693S`)
[2024-02-25T03:34:31,470][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.015671995S`)
[2024-02-25T03:34:31,470][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.015764597S`)
[2024-02-25T03:34:31,470][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.0158638S`)
[2024-02-25T03:34:31,471][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.015960001S`)
[2024-02-25T03:34:31,471][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.016055003S`)
[2024-02-25T03:34:31,471][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.016178406S`)
[2024-02-25T03:34:31,471][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.016572015S`)
[2024-02-25T03:34:31,523][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:31,523][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:32,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 24957
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
expired -1708832073349
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25240
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 24957
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25259
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
expired -1708832073349
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25240
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 1 leasesOwnedByOthers 2
unowned 1
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 1
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Finding expired leases from '2'[0] up to
'3'[1]
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found in range: 0
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '3'[1] need 1
[2024-02-25T03:34:33,349][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25259
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 1
unowned 1
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:34:33,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:34:33,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Finding expired leases from '3'[1] up to
'0'[2]
[2024-02-25T03:34:33,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found in range: 0
[2024-02-25T03:34:33,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '0'[2] need 1
[2024-02-25T03:34:33,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Finding expired leases from '0'[2] up to
'1'[3]
[2024-02-25T03:34:33,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found in range: 0
[2024-02-25T03:34:33,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '1'[3] need 1
[2024-02-25T03:34:33,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Finding expired leases from '1'[3] up to
'end'[4]
[2024-02-25T03:34:33,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Found in range: 1
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: getLease()
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: acquireLease()
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
expired -1708832073352
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: acquireLease() acquired lease
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Acquired unowned/expired
[2024-02-25T03:34:33,352][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: creating new pump
[2024-02-25T03:34:33,352][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Creating and opening event processor
instance
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk skipping, startAt is off end:
4
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 3
[2024-02-25T03:34:33,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:34:33,354][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@id = "plain_bcd08ae6-aa82-4171-bde3-c112f08f1df1"
[2024-02-25T03:34:33,354][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@enable_metric = true
[2024-02-25T03:34:33,354][DEBUG][logstash.codecs.plain ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] config
LogStash::Codecs::Plain/@charset = "UTF-8"
[2024-02-25T03:34:33,355][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is opening.
[2024-02-25T03:34:33,362][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Opening EH client
[2024-02-25T03:34:33,362][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_a4f1ec_1708832073362], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:34:33,363][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_a4f1ec_1708832073362] reactor.onReactorInit
[2024-02-25T03:34:33,363][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_a4f1ec_1708832073362]
[2024-02-25T03:34:33,363][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_a4f1ec_1708832073362], errorCondition[null], errorDescription[null]
[2024-02-25T03:34:33,363][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_a4f1ec_1708832073362]
[2024-02-25T03:34:33,418][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_a4f1ec_1708832073362],
remoteContainer[475a474dabbe4da2a272955e454d445c_G10]
[2024-02-25T03:34:33,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: getCheckpoint() uninitalized
[2024-02-25T03:34:33,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Calling user-provided initial position
provider
[2024-02-25T03:34:33,419][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:34:33,419][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:34:33,422][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:34:33,423][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_a4f1ec_1708832073362], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:34:33,423][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_a4f1ec_1708832073362], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:34:33,434][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:34:33,434][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:33,438][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_a4f1ec_1708832073362], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:34:33,438][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:34:33,438][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[0], credit[100]
[2024-02-25T03:34:33,438][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:33,440][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_a4f1ec_1708832073362],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:34:33,440][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[99]
[2024-02-25T03:34:33,449][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_a4f1ec_1708832073362], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:34:33,450][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_a4f1ec_1708832073362], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:34:33,459][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_a4f1ec_1708832073362], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:34:33,460][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:34:33,460][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
linkName[LN_7535a2_1708832073460_45c_G10], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:34:33,468][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
linkName[LN_7535a2_1708832073460_45c_G10], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@15c690e
}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:34:33,468][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], linkName[LN_7535a2_1708832073460_45c_G10], updated-link-credit[300],
sentCredits[300], ThreadId[44]
[2024-02-25T03:34:33,468][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], linkName[LN_7535a2_1708832073460_45c_G10], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:34:33,472][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: EH client and receiver creation finished
[2024-02-25T03:34:33,473][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - schedule operation timer, current:
[2024-02-25T03:34:33.473350395Z], remaining: [60] secs
[2024-02-25T03:34:33,473][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:34:33,726][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:33,726][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:33,737][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:35,309][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:34:35,314][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336227856//1261930
[2024-02-25T03:34:35,314][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336227856//1261930
[2024-02-25T03:34:35,314][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 3561 bytes.
[2024-02-25T03:34:35,314][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - schedule operation timer, current:
[2024-02-25T03:34:35.314420831Z], remaining: [60] secs
[2024-02-25T03:34:35,365][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:34:35.312987601Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:06+00:00\", \"time\": \"2024-02-25T03:34:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.38\",\"clientPort\":45663,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":374,\"sentBytes\":518,\"connectionSerialNumber\":509313,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6be03d3457bf15
d280daea1e588a77e3\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:34:08+00:00\", \"time\": \"2024-02-
25T03:34:08+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.174.151.196\",\"clientPort\":43125,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&in=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&
in=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":617,\"sentBytes\":7666,\"connectionSerialNumber\":509314,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"8cd74d825dda5c375115673f47105acb\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"56240\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:34:06+00:00\", \"time\": \"2024-02-
25T03:34:06+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.38\",\"clientPort\":45663,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":374,\"sentBytes\":518,\"connectionSerialNumber\":509313,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6be03d3457bf15
d280daea1e588a77e3\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:34:08+00:00\", \"time\": \"2024-02-
25T03:34:08+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.174.151.196\",\"clientPort\":43125,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&in=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&
in=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":617,\"sentBytes\":7666,\"connectionSerialNumber\":509314,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"8cd74d825dda5c375115673f47105acb\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"56240\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:34:35,373][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:34:06+00:00", "timeStamp"=>"2024-02-25T03:34:06+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>45663, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"6be03d3457bf15d280daea1e588a77e3",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"40.77.167.38",
"httpStatus"=>301, "sentBytes"=>518,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509313, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>374,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:34:08+00:00", "timeStamp"=>"2024-02-25T03:34:08+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>43125,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"8cd74d825dda5c375115673f47105acb", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&in=1&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"107.174.151.196",
"httpStatus"=>200, "sentBytes"=>7666,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509314, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>617,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&in=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"56240",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.056"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:34:35.312987601Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:06+00:00\", \"time\": \"2024-02-25T03:34:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.38\",\"clientPort\":45663,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":374,\"sentBytes\":518,\"connectionSerialNumber\":509313,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6be03d3457bf15
d280daea1e588a77e3\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:34:08+00:00\", \"time\": \"2024-02-
25T03:34:08+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.174.151.196\",\"clientPort\":43125,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&in=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&
in=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":617,\"sentBytes\":7666,\"connectionSerialNumber\":509314,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"8cd74d825dda5c375115673f47105acb\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"56240\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:34:06+00:00\", \"time\": \"2024-02-
25T03:34:06+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.38\",\"clientPort\":45663,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":374,\"sentBytes\":518,\"connectionSerialNumber\":509313,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6be03d3457bf15
d280daea1e588a77e3\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:34:08+00:00\", \"time\": \"2024-02-
25T03:34:08+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-AZURE_APG01_V2\", \"listenerName\":
\"APG01_Listener12_HTTPS_RepJP\", \"ruleName\": \"APG01_RoutingRule12_RepJP\", \"b
ackendPoolName\": \"APG01_BackendPool12_RepJP\", \"backendSettingName\": \"APG01_HT
TP12_RepJP\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Appl
icationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.174.151.196\",\"clientPort\":43125,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&in=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&
in=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":617,\"sentBytes\":7666,\"connectionSerialNumber\":509314,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"8cd74d825dda5c375115673f47105acb\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"56240\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:34:35,376][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:34:06+00:00", "timeStamp"=>"2024-02-
25T03:34:06+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>45663, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"6be03d3457bf15d280daea1e588a77e3", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"40.77.167.38",
"httpStatus"=>301, "sentBytes"=>518,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509313, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>374,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=6735&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:34:35,383][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:34:08+00:00", "timeStamp"=>"2024-02-
25T03:34:08+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>43125,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"8cd74d825dda5c375115673f47105acb", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&in=1&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"107.174.151.196",
"httpStatus"=>200, "sentBytes"=>7666,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509314, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>617,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=3764&namber=5789364&space=0&rev=1&page=0&in=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"56240",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.056"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:34:35,406][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>20120, :content_length=>2969, :batch_offset=>0}
[2024-02-25T03:34:36,474][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.007633024S`)
[2024-02-25T03:34:36,474][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.007957131S`)
[2024-02-25T03:34:36,529][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:36,530][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:36,730][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:36,730][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:36,740][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:38,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:34:38,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 19956
[2024-02-25T03:34:38,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25002
[2024-02-25T03:34:38,350][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20239
[2024-02-25T03:34:38,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20258
[2024-02-25T03:34:38,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:38,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:34:38,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:38,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:38,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:34:38,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:38,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:34:38,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:34:38,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:34:38,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 19954
[2024-02-25T03:34:38,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25000
[2024-02-25T03:34:38,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20237
[2024-02-25T03:34:38,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20256
[2024-02-25T03:34:38,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:38,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:34:38,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:38,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:38,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:34:38,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:38,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:34:38,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:34:38,589][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:34:38,589][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:34:38,590][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:34:38,609][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:34:38,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:34:38,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:34:38,649][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: leaseRenewer()
[2024-02-25T03:34:38,649][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: renewLease()
[2024-02-25T03:34:38,649][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: renewLease() not renewed because we don't
own lease
[2024-02-25T03:34:38,649][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Lease lost, shutting down pump
[2024-02-25T03:34:38,650][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Setting receive handler to null
[2024-02-25T03:34:38,658][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:34:38,658][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:34:38,658][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:34:38,964][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is processing a batch of
size 1.
[2024-02-25T03:34:38,974][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Saving checkpoint: 6725919630712//1542130
[2024-02-25T03:34:38,974][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: updateCheckpoint() 6725919630712//1542130
[2024-02-25T03:34:38,974][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 finished processing a batch
of 2067 bytes.
[2024-02-25T03:34:38,974][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:34:38.974468399Z], remaining: [60] secs
[2024-02-25T03:34:39,025][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:34:38.966762434Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:15+00:00\", \"time\": \"2024-02-25T03:34:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62211,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36271,\"sentBytes\":138496,\"connectionSerialNumber\":53526
7,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.071,\"W
AFEvaluationTime\":\"0.028\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"5d92e3817f5aec8f2268adb2d24a6ddc\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"35654\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:15+00:00\", \"time\": \"2024-02-25T03:34:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62211,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36271,\"sentBytes\":138496,\"connectionSerialNumber\":53526
7,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.071,\"W
AFEvaluationTime\":\"0.028\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"5d92e3817f5aec8f2268adb2d24a6ddc\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"35654\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}}]}"}}}
[2024-02-25T03:34:39,026][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:34:15+00:00", "timeStamp"=>"2024-02-25T03:34:15+00:00",
"backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62211, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.71e-1,
"transactionId"=>"5d92e3817f5aec8f2268adb2d24a6ddc", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.028",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>138496, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535267, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"yazure-ag.yokogawa.com",
"sslEnabled"=>"on", "receivedBytes"=>36271, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"35654", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.040"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog", "ruleName"=>"APG02_RoutingRule01"}],
"@timestamp"=>2024-02-25T03:34:38.966762434Z, "message"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:34:15+00:00\", \"time\": \"2024-02-
25T03:34:15+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_
RoutingRule01\", \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62211,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36271,\"sentBytes\":138496,\"connectionSerialNumber\":53526
7,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.071,\"W
AFEvaluationTime\":\"0.028\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"5d92e3817f5aec8f2268adb2d24a6ddc\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"35654\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:15+00:00\", \"time\": \"2024-02-25T03:34:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62211,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36271,\"sentBytes\":138496,\"connectionSerialNumber\":53526
7,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.071,\"W
AFEvaluationTime\":\"0.028\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"5d92e3817f5aec8f2268adb2d24a6ddc\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"35654\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}}]}"}}}
[2024-02-25T03:34:39,033][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:34:15+00:00", "timeStamp"=>"2024-02-
25T03:34:15+00:00", "backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62211, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.71e-1,
"transactionId"=>"5d92e3817f5aec8f2268adb2d24a6ddc", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.028",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>138496, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535267, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"yazure-ag.yokogawa.com",
"sslEnabled"=>"on", "receivedBytes"=>36271, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"35654", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.040"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule01"}, :field=>"records"}
[2024-02-25T03:34:39,045][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>6977, :content_length=>1940, :batch_offset=>0}
[2024-02-25T03:34:39,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:39,726][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:39,735][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:41,540][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:41,541][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:42,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:42,727][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:42,737][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25306
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20000
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25237
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25258
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:34:43,352][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25305
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 19999
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25236
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25257
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:43,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:43,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:34:43,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:43,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:34:43,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:34:43,473][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:34:43,473][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:34:43,474][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:34:45,726][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:45,727][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:45,736][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:46,550][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:46,551][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:47,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20305
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25121
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20236
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20257
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:34:48,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20304
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25120
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20235
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20256
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:34:48,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:34:48,590][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:34:48,590][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:34:48,590][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:34:48,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:34:48,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:34:48,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:34:48,658][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:34:48,659][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:34:48,659][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:34:48,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:48,727][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:48,736][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:51,557][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:51,558][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:51,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:51,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:51,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:52,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:53,353][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25305
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20120
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25236
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25256
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25305
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20120
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25236
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25256
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:53,354][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:34:53,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:53,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:34:53,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:34:53,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:34:53,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:34:53,474][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:34:53,474][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:34:53,474][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:34:54,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:54,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:54,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:56,486][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.005273461S`)
[2024-02-25T03:34:56,486][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.005573768S`)
[2024-02-25T03:34:56,486][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.005676569S`)
[2024-02-25T03:34:56,571][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:34:56,571][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:34:57,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:34:57,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:34:57,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:34:57,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20304
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25119
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20235
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20255
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20304
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25119
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20235
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20255
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:34:58,355][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:34:58,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:34:58,587][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - Reschedule operation timer,
current: [2024-02-25T03:34:58.586983966Z], remaining: [40] secs
[2024-02-25T03:34:58,590][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:34:58,590][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:34:58,590][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:34:58,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:34:58,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:34:58,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:34:58,616][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:34:58.616048990Z], remaining: [28] secs
[2024-02-25T03:34:58,659][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:34:58,659][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:34:58,659][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:35:00,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:00,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:00,744][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:01,490][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.006422786S`)
[2024-02-25T03:35:01,490][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.006672592S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.006751593S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.006883996S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.006967497S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.007037599S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.0070932S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.007153702S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.007209902S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.007282604S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.007342705S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.007399007S`)
[2024-02-25T03:35:01,491][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.007500409S`)
[2024-02-25T03:35:01,492][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.007581911S`)
[2024-02-25T03:35:01,492][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.007619011S`)
[2024-02-25T03:35:01,492][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.007666513S`)
[2024-02-25T03:35:01,578][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:01,578][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25303
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25303
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20118
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25234
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25254
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20118
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25234
[2024-02-25T03:35:03,356][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25254
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:35:03,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:03,474][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:35:03,475][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:35:03,475][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:35:03,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:03,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:03,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:06,494][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.007646812S`)
[2024-02-25T03:35:06,495][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.007921718S`)
[2024-02-25T03:35:06,587][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:06,587][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:06,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:06,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:06,730][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:07,565][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (0) as per the request.
[2024-02-25T03:35:07,565][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Closing EH receiver
[2024-02-25T03:35:07,565][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_1063f9_1708832068598_MF_de12bf_1708832068377]
[2024-02-25T03:35:07,565][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver]
[2024-02-25T03:35:07,565][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:35:07,566][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
linkName[LN_2e18ae_1708832068640_d90_G21], errorCondition[null],
errorDescription[null]
[2024-02-25T03:35:07,566][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
linkName[LN_2e18ae_1708832068640_d90_G21], errorCondition[null],
errorDescription[null]
[2024-02-25T03:35:07,567][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_de12bf_1708832068377], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:35:07,569][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_1063f9_1708832068598_MF_de12bf_1708832068377-
InternalReceiver], linkName[LN_2e18ae_1708832068640_d90_G21], errorCondition[null],
errorDescription[null]
[2024-02-25T03:35:07,569][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_1063f9_1708832068598_MF_de12bf_1708832068377-InternalReceiver],
linkName[LN_2e18ae_1708832068640_d90_G21], errorCondition[null],
errorDescription[null]
[2024-02-25T03:35:07,570][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 0: Closing EH client
[2024-02-25T03:35:07,570][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_b4c221_1708832068375]
[2024-02-25T03:35:07,570][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_de12bf_1708832068377]
[2024-02-25T03:35:07,575][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_de12bf_1708832068377], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:35:07,576][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_de12bf_1708832068377], errorCondition[null], errorDescription[null]
[2024-02-25T03:35:07,576][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:35:07,577][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:35:07,577][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:35:07,578][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_de12bf_1708832068377],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_de12bf_1708832068377],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_de12bf_1708832068377], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_de12bf_1708832068377],
errorCondition[null], errorDescription[null]
[2024-02-25T03:35:07,583][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_de12bf_1708832068377], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_de12bf_1708832068377], error[n/a]
[2024-02-25T03:35:07,583][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_de12bf_1708832068377], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:35:07,584][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_de12bf_1708832068377], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:35:07,584][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_de12bf_1708832068377], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:35:07,584][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_de12bf_1708832068377], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0], condition[null],
description[null]
[2024-02-25T03:35:07,584][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_de12bf_1708832068377], errorCondition[null], errorDescription[null]
[2024-02-25T03:35:07,589][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_de12bf_1708832068377], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:35:07,592][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is closing.
(reason=LeaseLost)
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20302
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25118
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20233
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20302
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25118
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20233
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20253
[2024-02-25T03:35:08,358][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:08,358][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:08,358][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:08,358][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:08,358][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:08,358][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:08,358][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:35:08,358][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:08,357][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20253
[2024-02-25T03:35:08,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:08,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:08,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:08,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:08,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:08,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:08,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 2
[2024-02-25T03:35:08,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:08,590][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:35:08,591][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:35:08,591][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:35:08,610][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:35:08,611][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:35:08,611][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:35:08,659][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:35:08,659][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:35:08,660][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:35:09,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:09,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:09,732][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:11,599][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:11,600][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:12,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:12,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:12,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25300
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20116
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25300
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25232
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25252
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:13,359][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20116
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25231
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25251
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:35:13,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:13,475][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:35:13,475][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:35:13,475][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:35:15,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:15,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:15,728][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:16,042][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:35:16,046][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336231488//1261931
[2024-02-25T03:35:16,046][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336231488//1261931
[2024-02-25T03:35:16,046][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 1917 bytes.
[2024-02-25T03:35:16,096][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:35:16.044464310Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:49+00:00\", \"time\": \"2024-02-25T03:34:49+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.218\",\"clientPort\":45190,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=5401&rev=1&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=5401&rev=1&no=0\",\"userAgent\":\"Moz
illa\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":343,\"sentBytes\":6117,\"connectionSerialNumber\":509358,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.067,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c0f4f4e0595becae486c7afcebc0f6c6\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"38262\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:34:49+00:00\", \"time\": \"2024-02-
25T03:34:49+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.218\",\"clientPort\":45190,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=5401&rev=1&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=5401&rev=1&no=0\",\"userAgent\":\"Moz
illa\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":343,\"sentBytes\":6117,\"connectionSerialNumber\":509358,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.067,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c0f4f4e0595becae486c7afcebc0f6c6\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"38262\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:35:16,098][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:34:49+00:00", "timeStamp"=>"2024-02-25T03:34:49+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>45190,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.67e-1,
"transactionId"=>"c0f4f4e0595becae486c7afcebc0f6c6", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=5401&rev=1&no=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"52.167.144.218", "httpStatus"=>200,
"sentBytes"=>6117, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509358, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>343,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=5401&rev=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"38262", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.068"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:35:16.044464310Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:34:49+00:00\", \"time\": \"2024-02-25T03:34:49+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.218\",\"clientPort\":45190,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=5401&rev=1&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=5401&rev=1&no=0\",\"userAgent\":\"Moz
illa\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":343,\"sentBytes\":6117,\"connectionSerialNumber\":509358,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.067,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c0f4f4e0595becae486c7afcebc0f6c6\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"38262\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:34:49+00:00\", \"time\": \"2024-02-
25T03:34:49+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.218\",\"clientPort\":45190,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=5401&rev=1&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=5401&rev=1&no=0\",\"userAgent\":\"Moz
illa\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":343,\"sentBytes\":6117,\"connectionSerialNumber\":509358,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.067,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c0f4f4e0595becae486c7afcebc0f6c6\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"38262\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:35:16,099][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:34:49+00:00", "timeStamp"=>"2024-02-
25T03:34:49+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>45190,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.67e-1,
"transactionId"=>"c0f4f4e0595becae486c7afcebc0f6c6", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=5401&rev=1&no=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"52.167.144.218", "httpStatus"=>200,
"sentBytes"=>6117, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509358, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>343,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=5401&rev=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"38262", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.068"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:35:16,103][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>6566, :content_length=>1946, :batch_offset=>0}
[2024-02-25T03:35:16,500][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.048703601S`)
[2024-02-25T03:35:16,500][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.048923305S`)
[2024-02-25T03:35:16,500][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.048989106S`)
[2024-02-25T03:35:16,500][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.049023407S`)
[2024-02-25T03:35:16,500][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.049067409S`)
[2024-02-25T03:35:16,611][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:16,611][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20299
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25115
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20231
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20251
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20299
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25115
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20231
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20251
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:18,360][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:18,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:18,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:18,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:35:18,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:18,591][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:35:18,591][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:35:18,591][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:35:18,611][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:35:18,611][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:35:18,611][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:35:18,660][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:35:18,660][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:35:18,660][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:35:18,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:18,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:18,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:21,503][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.049000651S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.049242455S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.049310957S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.049367359S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.04941436S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.04945636S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.04947526S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.049518962S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.049556263S`)
[2024-02-25T03:35:21,504][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.049601364S`)
[2024-02-25T03:35:21,506][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.050699287S`)
[2024-02-25T03:35:21,507][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.051916613S`)
[2024-02-25T03:35:21,507][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.051989915S`)
[2024-02-25T03:35:21,507][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.052055517S`)
[2024-02-25T03:35:21,624][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:21,624][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:21,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:21,726][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:21,729][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25299
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20114
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25299
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20114
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25230
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25250
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:23,361][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25230
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25249
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:35:23,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:23,476][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:35:23,476][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:35:23,476][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:35:24,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:24,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:24,733][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:26,509][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.00897224S`)
[2024-02-25T03:35:26,509][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.009075643S`)
[2024-02-25T03:35:26,509][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.009088643S`)
[2024-02-25T03:35:26,510][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.043413576S`)
[2024-02-25T03:35:26,510][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.043511078S`)
[2024-02-25T03:35:26,634][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:26,634][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:27,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:27,492][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - schedule operation timer, current:
[2024-02-25T03:35:27.492543884Z], remaining: [60] secs
[2024-02-25T03:35:27,493][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:35:27.493168897Z], remaining: [59] secs
[2024-02-25T03:35:27,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:27,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:27,734][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20298
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25114
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20229
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20249
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20298
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25114
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20229
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20249
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:28,362][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:28,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:28,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:28,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:28,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:35:28,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:28,591][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:35:28,591][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:35:28,591][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:35:28,611][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:35:28,611][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:35:28,612][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:35:28,660][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:35:28,660][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:35:28,660][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - schedule operation timer, current:
[2024-02-25T03:35:28.660767295Z], remaining: [60] secs
[2024-02-25T03:35:28,660][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:35:30,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:30,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:30,734][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:31,513][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.009629554S`)
[2024-02-25T03:35:31,513][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.009911161S`)
[2024-02-25T03:35:31,513][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.010013063S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.00987746S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.00987226S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.009868559S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.00987406S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.009902661S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.009951062S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.009968462S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.009989862S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.009996963S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.00895244S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.007785615S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.007764615S`)
[2024-02-25T03:35:31,514][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.007754014S`)
[2024-02-25T03:35:31,640][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:31,640][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:32,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:32,737][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:35:32,743][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336233472//1261932
[2024-02-25T03:35:32,744][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336233472//1261932
[2024-02-25T03:35:32,744][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 7407 bytes.
[2024-02-25T03:35:32,795][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:35:32.742378528Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:00+00:00\", \"time\": \"2024-02-25T03:35:00+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"52.167.144.218\",\"clientPort\":35329,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":514,\"connectionSerialNumber\":509818,\"n
oOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"714497a3dc084c
d3bbb7ca1d47115991\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:35:04+00:00\", \"time\": \"2024-02-
25T03:35:04+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57486,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":358,\"sentBytes\":62229,\"connectionSerialNumber\":509824,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.381,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"48cc3db755fbaf2a76754146241
a8295\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.380\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57532,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64;
rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":358,\"sentBytes\":62229,\"connectionSerialNumber\":509843,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.543,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"0b335fcabd3d694361499641b70
708ae\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.544\",\"ups
treamSourcePort\":\"37374\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57536,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":335,\"sentBytes\":62249,\"connectionSerialNumber\":509842,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.555,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"76c8655e9c0d7b3b1ad78b58aa7
17610\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.556\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:35:00+00:00\", \"time\": \"2024-02-
25T03:35:00+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"52.167.144.218\",\"clientPort\":35329,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":514,\"connectionSerialNumber\":509818,\"n
oOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"714497a3dc084c
d3bbb7ca1d47115991\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serv
erRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSour
cePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}},
{ \"timeStamp\": \"2024-02-25T03:35:04+00:00\", \"time\": \"2024-02-
25T03:35:04+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57486,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":358,\"sentBytes\":62229,\"connectionSerialNumber\":509824,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.381,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"48cc3db755fbaf2a76754146241
a8295\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.380\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57532,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64;
rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":358,\"sentBytes\":62229,\"connectionSerialNumber\":509843,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.543,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"0b335fcabd3d694361499641b70
708ae\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.544\",\"ups
treamSourcePort\":\"37374\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57536,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":335,\"sentBytes\":62249,\"connectionSerialNumber\":509842,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.555,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"76c8655e9c0d7b3b1ad78b58aa7
17610\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.556\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}"}}}
[2024-02-25T03:35:32,801][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:35:00+00:00", "timeStamp"=>"2024-02-25T03:35:00+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>35329, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"714497a3dc084cd3bbb7ca1d47115991",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"52.167.144.218",
"httpStatus"=>301, "sentBytes"=>514,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509818, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>370,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:35:04+00:00", "timeStamp"=>"2024-02-25T03:35:04+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57486,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.381e0,
"transactionId"=>"48cc3db755fbaf2a76754146241a8295", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=10_logistics&q0=technical%20support",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"178.162.141.227",
"httpStatus"=>200, "sentBytes"=>62229, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509824,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>358, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"37354",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.380"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:35:05+00:00", "timeStamp"=>"2024-02-25T03:35:05+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57532,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.543e0,
"transactionId"=>"0b335fcabd3d694361499641b70708ae", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=10_logistics&q0=sales%20and%20quote",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"178.162.141.227",
"httpStatus"=>200, "sentBytes"=>62229, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509843,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>358, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"37374",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.544"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:35:05+00:00", "timeStamp"=>"2024-02-25T03:35:05+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57536,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.555e0,
"transactionId"=>"76c8655e9c0d7b3b1ad78b58aa717610", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=10_logistics", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"178.162.141.227", "httpStatus"=>200,
"sentBytes"=>62249, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509842,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>335, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"37354",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.556"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}], "@timestamp"=>2024-02-
25T03:35:32.742378528Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:00+00:00\", \"time\": \"2024-02-25T03:35:00+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"52.167.144.218\",\"clientPort\":35329,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":514,\"connectionSerialNumber\":509818,\"n
oOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"714497a3dc084c
d3bbb7ca1d47115991\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:35:04+00:00\", \"time\": \"2024-02-
25T03:35:04+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-AZURE_APG01_V2\",
\"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"ruleName\": \"APG01_
Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_BackendPool09_Contac
tSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\", \"operationName\
": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"p
roperties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57486,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":358,\"sentBytes\":62229,\"connectionSerialNumber\":509824,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.381,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"48cc3db755fbaf2a76754146241
a8295\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.380\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57532,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64;
rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":358,\"sentBytes\":62229,\"connectionSerialNumber\":509843,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.543,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"0b335fcabd3d694361499641b70
708ae\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.544\",\"ups
treamSourcePort\":\"37374\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57536,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":335,\"sentBytes\":62249,\"connectionSerialNumber\":509842,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.555,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"76c8655e9c0d7b3b1ad78b58aa7
17610\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.556\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:35:00+00:00\", \"time\": \"2024-02-
25T03:35:00+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"52.167.144.218\",\"clientPort\":35329,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":514,\"connectionSerialNumber\":509818,\"n
oOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"714497a3dc084c
d3bbb7ca1d47115991\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:35:04+00:00\", \"time\": \"2024-02-
25T03:35:04+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57486,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":358,\"sentBytes\":62229,\"connectionSerialNumber\":509824,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.381,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"48cc3db755fbaf2a76754146241
a8295\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.380\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{
\"timeStamp\": \"2024-02-25T03:35:05+00:00\", \"time\": \"2024-02-
25T03:35:05+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57532,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64;
rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":358,\"sentBytes\":62229,\"connectionSerialNumber\":509843,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.543,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"0b335fcabd3d694361499641b70
708ae\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.544\",\"ups
treamSourcePort\":\"37374\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57536,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":335,\"sentBytes\":62249,\"connectionSerialNumber\":509842,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.555,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"76c8655e9c0d7b3b1ad78b58aa7
17610\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.556\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}"}}}
[2024-02-25T03:35:32,803][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:00+00:00", "timeStamp"=>"2024-02-
25T03:35:00+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35329, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"714497a3dc084cd3bbb7ca1d47115991", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"52.167.144.218",
"httpStatus"=>301, "sentBytes"=>514,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509818, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>370,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=42194&namber=5789364&space=0&rev=0&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:35:32,804][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:04+00:00", "timeStamp"=>"2024-02-
25T03:35:04+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57486,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.381e0,
"transactionId"=>"48cc3db755fbaf2a76754146241a8295", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=10_logistics&q0=technical%20support",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"178.162.141.227",
"httpStatus"=>200, "sentBytes"=>62229, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509824,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>358, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=10_logistics&q0=technical%20support",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"37354",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.380"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:35:32,804][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:05+00:00", "timeStamp"=>"2024-02-
25T03:35:05+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57532,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.543e0,
"transactionId"=>"0b335fcabd3d694361499641b70708ae", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=10_logistics&q0=sales%20and%20quote",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"178.162.141.227",
"httpStatus"=>200, "sentBytes"=>62229, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509843,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>358, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics&q0=sales
%20and%20quote", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"37374",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.544"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:35:32,811][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:05+00:00", "timeStamp"=>"2024-02-
25T03:35:05+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57536,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.555e0,
"transactionId"=>"76c8655e9c0d7b3b1ad78b58aa717610", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=10_logistics", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"178.162.141.227", "httpStatus"=>200,
"sentBytes"=>62249, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509842,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>335, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=10_logistics",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"37354",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.556"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:35:32,854][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>4, :payload_size=>73977, :content_length=>5253, :batch_offset=>0}
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25297
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20113
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25228
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25248
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25297
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20113
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25228
[2024-02-25T03:35:33,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25248
[2024-02-25T03:35:33,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:33,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:33,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:33,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:33,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:33,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:33,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:35:33,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:33,474][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:35:33.474862672Z], remaining: [59] secs
[2024-02-25T03:35:33,476][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:35:33,476][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:35:33,476][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:35:33,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:33,726][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:33,729][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:34,423][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:35:34,432][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313429032//1261832
[2024-02-25T03:35:34,432][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313429032//1261832
[2024-02-25T03:35:34,432][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 5848 bytes.
[2024-02-25T03:35:34,484][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:35:34.431237329Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:03+00:00\", \"time\": \"2024-02-25T03:35:03+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57479,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":338,\"sentBytes\":62252,\"connectionSerialNumber\":509362,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.383,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"56c0d1dc2143fb02989d7a3b8cc
36620\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.384\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57513,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote\",\"userAgent\":\"Mozilla\\/
5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":361,\"sentBytes\":62232,\"connectionSerialNumber\":509364,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.342,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"663dbbec3ad6633d4321285f375
c9773\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.340\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:06+00:00\", \"time\": \"2024-02-25T03:35:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57561,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support\",\"userAgent\":\"Mozilla\\/
5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":361,\"sentBytes\":62232,\"connectionSerialNumber\":509367,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.484,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"c31597c993db24cf8932ca5d722
fc4f1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.484\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:35:03+00:00\", \"time\": \"2024-02-
25T03:35:03+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57479,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":338,\"sentBytes\":62252,\"connectionSerialNumber\":509362,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.383,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"56c0d1dc2143fb02989d7a3b8cc
36620\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.384\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57513,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote\",\"userAgent\":\"Mozilla\\/
5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/1.1\",\"rec
eivedBytes\":361,\"sentBytes\":62232,\"connectionSerialNumber\":509364,\"noOfConnec
tionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.342,\"WAFEvaluationTime\"
:\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/subscriptions\\/
2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/RG_YAzureDMZ_APG01\\/
providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"663dbbec3ad6633d4321285f375
c9773\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.340\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:06+00:00\", \"time\": \"2024-02-25T03:35:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57561,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support\",\"userAgent\":\"Mozilla\\/
5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":361,\"sentBytes\":62232,\"connectionSerialNumber\":509367,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.484,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"c31597c993db24cf8932ca5d722
fc4f1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.484\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}"}}}
[2024-02-25T03:35:34,490][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:35:03+00:00", "timeStamp"=>"2024-02-25T03:35:03+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57479,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.383e0,
"transactionId"=>"56c0d1dc2143fb02989d7a3b8cc36620", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=03_optimization", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"178.162.141.227", "httpStatus"=>200,
"sentBytes"=>62252, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509362,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>338, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=03_optimization",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"57230",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.384"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:35:05+00:00", "timeStamp"=>"2024-02-25T03:35:05+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57513,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.342e0,
"transactionId"=>"663dbbec3ad6633d4321285f375c9773", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=03_optimization&q0=sales%20and%20quote",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"178.162.141.227",
"httpStatus"=>200, "sentBytes"=>62232, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509364,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>361, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"57230",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.340"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:35:06+00:00", "timeStamp"=>"2024-02-25T03:35:06+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57561,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.484e0,
"transactionId"=>"c31597c993db24cf8932ca5d722fc4f1", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=03_optimization&q0=technical%20support",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"178.162.141.227",
"httpStatus"=>200, "sentBytes"=>62232, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509367,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>361, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"57230",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.484"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}], "@timestamp"=>2024-02-
25T03:35:34.431237329Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:03+00:00\", \"time\": \"2024-02-25T03:35:03+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57479,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":338,\"sentBytes\":62252,\"connectionSerialNumber\":509362,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.383,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"56c0d1dc2143fb02989d7a3b8cc
36620\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.384\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57513,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote\",\"userAgent\":\"Mozilla\\/
5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":361,\"sentBytes\":62232,\"connectionSerialNumber\":509364,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.342,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewa
llPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"663dbbec3ad6633d4321285f375
c9773\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.340\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:06+00:00\", \"time\": \"2024-02-25T03:35:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57561,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support\",\"userAgent\":\"Mozilla\\/
5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":361,\"sentBytes\":62232,\"connectionSerialNumber\":509367,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.484,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"c31597c993db24cf8932ca5d722
fc4f1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.484\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:35:03+00:00\", \"time\": \"2024-02-
25T03:35:03+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57479,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":338,\"sentBytes\":62252,\"connectionSerialNumber\":509362,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.383,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"56c0d1dc2143fb02989d7a3b8cc
36620\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.384\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:05+00:00\", \"time\": \"2024-02-25T03:35:05+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57513,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote\",\"userAgent\":\"Mozilla\\/
5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":361,\"sentBytes\":62232,\"connectionSerialNumber\":509364,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.342,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"663dbbec3ad6633d4321285f375
c9773\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.340\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:06+00:00\", \"time\": \"2024-02-25T03:35:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57561,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support\",\"requestUri\":\"\\/cs\\/
gw\",\"requestQuery\":\"c-id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support\",\"userAgent\":\"Mozilla\\/
5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":361,\"sentBytes\":62232,\"connectionSerialNumber\":509367,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.484,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"c31597c993db24cf8932ca5d722
fc4f1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.484\",\"ups
treamSourcePort\":\"57230\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}"}}}
[2024-02-25T03:35:34,492][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:03+00:00", "timeStamp"=>"2024-02-
25T03:35:03+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57479,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.383e0,
"transactionId"=>"56c0d1dc2143fb02989d7a3b8cc36620", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=03_optimization", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"178.162.141.227", "httpStatus"=>200,
"sentBytes"=>62252, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509362,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>338, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based%20software&r3=03_optimization",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"57230",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.384"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:35:34,492][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:05+00:00", "timeStamp"=>"2024-02-
25T03:35:05+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57513,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.342e0,
"transactionId"=>"663dbbec3ad6633d4321285f375c9773", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=03_optimization&q0=sales%20and%20quote",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"178.162.141.227",
"httpStatus"=>200, "sentBytes"=>62232, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509364,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>361, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=sales%20and%20quote",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"57230",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.340"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:35:34,493][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:06+00:00", "timeStamp"=>"2024-02-
25T03:35:06+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57561,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.484e0,
"transactionId"=>"c31597c993db24cf8932ca5d722fc4f1", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000671&r1=03_products&r2=02_solution-
based%20software&r3=03_optimization&q0=technical%20support",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"178.162.141.227",
"httpStatus"=>200, "sentBytes"=>62232, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509367,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>361, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"c-
id=000671&r1=03_products&r2=02_solution-based
%20software&r3=03_optimization&q0=technical%20support",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"57230",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.484"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:35:34,512][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>45395, :content_length=>3328, :batch_offset=>0}
[2024-02-25T03:35:35,314][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:35:35.314741020Z], remaining: [57] secs
[2024-02-25T03:35:36,518][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.00803912S`)
[2024-02-25T03:35:36,518][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.008199824S`)
[2024-02-25T03:35:36,646][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:36,646][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:36,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:36,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:36,732][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:38,363][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20296
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25112
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20227
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20247
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20296
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25112
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20227
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20247
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:35:38,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:38,592][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:35:38,592][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:35:38,592][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:35:38,612][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:35:38,612][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:35:38,612][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:35:38,661][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:35:38,661][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:35:38,661][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:35:38,974][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:35:38.974880394Z], remaining: [60] secs
[2024-02-25T03:35:39,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:39,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:39,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:41,260][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:35:41,265][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313434952//1261833
[2024-02-25T03:35:41,265][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313434952//1261833
[2024-02-25T03:35:41,265][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 3683 bytes.
[2024-02-25T03:35:41,316][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:35:41.262731471Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:14+00:00\", \"time\": \"2024-02-25T03:35:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57858,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000951\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000951\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":272,\"sentBytes\":67242,\"connectionSerialNumber\":509847,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.379,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"1afe09a494f7099a0b460e69bca
630c9\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.380\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:14+00:00\", \"time\": \"2024-02-25T03:35:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.11\",\"clientPort\":55388,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":6502,\"connectionSerialNumber\":509846,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.084,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"ff361971d7f93a8c330481a9c2e77ef0\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.084\",\"upst
reamSourcePort\":\"50870\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:35:14+00:00\", \"time\": \"2024-02-
25T03:35:14+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57858,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000951\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000951\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":272,\"sentBytes\":67242,\"connectionSerialNumber\":509847,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.379,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"1afe09a494f7099a0b460e69bca
630c9\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.380\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:14+00:00\", \"time\": \"2024-02-25T03:35:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.11\",\"clientPort\":55388,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":6502,\"connectionSerialNumber\":509846,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.084,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"ff361971d7f93a8c330481a9c2e77ef0\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.084\",\"upst
reamSourcePort\":\"50870\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:35:41,317][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:35:14+00:00", "timeStamp"=>"2024-02-25T03:35:14+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57858,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.379e0,
"transactionId"=>"1afe09a494f7099a0b460e69bca630c9", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000951", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"178.162.141.227", "httpStatus"=>200,
"sentBytes"=>67242, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509847,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>272, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"c-id=000951",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"37354",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.380"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:35:14+00:00", "timeStamp"=>"2024-02-25T03:35:14+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>55388,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.84e-1,
"transactionId"=>"ff361971d7f93a8c330481a9c2e77ef0", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"185.191.171.11",
"httpStatus"=>200, "sentBytes"=>6502,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509846, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>384,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"50870",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.084"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:35:41.262731471Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:14+00:00\", \"time\": \"2024-02-25T03:35:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57858,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000951\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000951\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":272,\"sentBytes\":67242,\"connectionSerialNumber\":509847,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.379,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"1afe09a494f7099a0b460e69bca
630c9\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.380\",\"ups
treamSourcePort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:14+00:00\", \"time\": \"2024-02-25T03:35:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.11\",\"clientPort\":55388,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":6502,\"connectionSerialNumber\":509846,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.084,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"ff361971d7f93a8c330481a9c2e77ef0\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.084\",\"upst
reamSourcePort\":\"50870\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:35:14+00:00\", \"time\": \"2024-02-
25T03:35:14+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"178.162.141.227\",\"clientPort\":57858,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000951\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000951\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko\\/20100101
Firefox\\/111.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":272,\"sentBytes\":67242,\"connectionSerialNumber\":509847,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.379,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"1afe09a494f7099a0b460e69bca
630c9\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.380\",\"ups
treamSourceP
ort\":\"37354\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"contact.yokoga
wa.com\"}},{ \"timeStamp\": \"2024-02-25T03:35:14+00:00\", \"time\": \"2024-02-
25T03:35:14+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.11\",\"clientPort\":55388,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":6502,\"connectionSerialNumber\":509846,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.084,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"ff361971d7f93a8c330481a9c2e77ef0\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.084\",\"upst
reamSourcePort\":\"50870\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:35:41,325][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:14+00:00", "timeStamp"=>"2024-02-
25T03:35:14+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>57858,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.379e0,
"transactionId"=>"1afe09a494f7099a0b460e69bca630c9", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-id=000951", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"178.162.141.227", "httpStatus"=>200,
"sentBytes"=>67242, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509847,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>272, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"c-id=000951",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0", "upstreamSourcePort"=>"37354",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.380"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:35:41,325][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:14+00:00", "timeStamp"=>"2024-02-
25T03:35:14+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>55388,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.84e-1,
"transactionId"=>"ff361971d7f93a8c330481a9c2e77ef0", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"185.191.171.11",
"httpStatus"=>200, "sentBytes"=>6502,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509846, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>384,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"50870",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.084"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:35:41,341][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>20609, :content_length=>2885, :batch_offset=>0}
[2024-02-25T03:35:41,652][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:41,659][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:42,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:42,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:42,734][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:43,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:43,364][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25296
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25296
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20111
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25227
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20111
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25227
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25247
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25247
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:43,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:35:43,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:43,476][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:35:43,477][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:35:43,477][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:35:45,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:45,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:45,730][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:46,523][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.042581735S`)
[2024-02-25T03:35:46,523][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.04279464S`)
[2024-02-25T03:35:46,523][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.042860841S`)
[2024-02-25T03:35:46,523][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.042897742S`)
[2024-02-25T03:35:46,524][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.042929742S`)
[2024-02-25T03:35:46,665][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:46,671][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:47,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:48,365][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20295
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25111
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20226
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20246
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20295
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25111
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20226
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20246
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:35:48,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:48,368][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:35:48,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313438704//1261834
[2024-02-25T03:35:48,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313438704//1261834
[2024-02-25T03:35:48,371][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 1520 bytes.
[2024-02-25T03:35:48,422][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:35:48.370122229Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:11+00:00\", \"time\": \"2024-02-25T03:35:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.212\",\"clientPort\":26756,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":510,\"connectionSerialNumber\":509386,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"a5034d7703fe28
737b21317ef2112692\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:35:11+00:00\", \"time\": \"2024-02-
25T03:35:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.212\",\"clientPort\":26756,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":510,\"connectionSerialNumber\":509386,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"a5034d7703fe28
737b21317ef2112692\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:35:48,422][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:35:11+00:00", "timeStamp"=>"2024-02-25T03:35:11+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>26756, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"a5034d7703fe28737b21317ef2112692",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"85.208.96.212",
"httpStatus"=>301, "sentBytes"=>510,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509386, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>384,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:35:48.370122229Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:11+00:00\", \"time\": \"2024-02-25T03:35:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.212\",\"clientPort\":26756,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":510,\"connectionSerialNumber\":509386,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"a5034d7703fe28
737b21317ef2112692\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:35:11+00:00\", \"time\": \"2024-02-
25T03:35:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.212\",\"clientPort\":26756,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":510,\"connectionSerialNumber\":509386,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"a5034d7703fe28
737b21317ef2112692\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:35:48,423][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:11+00:00", "timeStamp"=>"2024-02-
25T03:35:11+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>26756, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"a5034d7703fe28737b21317ef2112692", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"85.208.96.212",
"httpStatus"=>301, "sentBytes"=>510,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509386, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>384,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=21937&mode=al2&namber=5789364&no=0&page=40&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:35:48,426][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>5350, :content_length=>1568, :batch_offset=>0}
[2024-02-25T03:35:48,592][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:35:48,592][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:35:48,592][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:35:48,612][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:35:48,612][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:35:48,612][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:35:48,661][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:35:48,661][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:35:48,662][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:35:48,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:48,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:48,734][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:51,527][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.042955758S`)
[2024-02-25T03:35:51,527][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.043543671S`)
[2024-02-25T03:35:51,527][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.043629772S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.043668973S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.043721574S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.043763776S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.043796876S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.043825977S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.044076782S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.044119883S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.044153684S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.044186085S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.044194885S`)
[2024-02-25T03:35:51,528][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.044232386S`)
[2024-02-25T03:35:51,683][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:51,683][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:51,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:51,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:51,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:52,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:53,366][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25294
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20110
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25225
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25245
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25294
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20110
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25225
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25245
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:53,367][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:35:53,368][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:53,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 2
[2024-02-25T03:35:53,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:53,477][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:35:53,477][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:35:53,477][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:35:54,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:54,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:54,730][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:56,531][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.007750244S`)
[2024-02-25T03:35:56,531][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.007799645S`)
[2024-02-25T03:35:56,531][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.007803545S`)
[2024-02-25T03:35:56,532][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.044967016S`)
[2024-02-25T03:35:56,532][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.045079418S`)
[2024-02-25T03:35:56,691][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:35:56,691][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:35:57,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:35:57,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:35:57,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:35:57,732][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20292
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25108
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20223
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20243
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:35:58,369][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20292
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25107
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20222
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20242
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:35:58,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:35:58,592][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:35:58,593][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:35:58,593][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:35:58,612][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:35:58,613][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:35:58,613][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:35:58,662][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:35:58,662][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:35:58,662][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:36:00,733][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:00,733][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:00,736][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.007940547S`)
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.008190853S`)
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.008377257S`)
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.007867246S`)
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.007819945S`)
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.007828746S`)
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.007830546S`)
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.007824145S`)
[2024-02-25T03:36:01,535][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.007824245S`)
[2024-02-25T03:36:01,536][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.007829545S`)
[2024-02-25T03:36:01,536][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.007615041S`)
[2024-02-25T03:36:01,536][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.007614641S`)
[2024-02-25T03:36:01,536][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.007616141S`)
[2024-02-25T03:36:01,536][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.007618841S`)
[2024-02-25T03:36:01,538][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.007621541S`)
[2024-02-25T03:36:01,538][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.009546882S`)
[2024-02-25T03:36:01,699][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:01,699][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25292
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20107
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25223
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25243
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25292
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20107
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25223
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25243
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:03,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:36:03,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:03,370][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:03,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:36:03,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:03,477][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:36:03,478][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:36:03,478][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:36:03,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:03,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:03,732][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:06,550][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.018285367S`)
[2024-02-25T03:36:06,550][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.01843607S`)
[2024-02-25T03:36:06,705][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:06,705][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:06,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:06,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:06,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20291
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25107
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20291
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25107
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20222
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20242
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20222
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20242
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:08,371][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:08,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:08,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:08,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:08,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:08,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:36:08,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:08,593][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:36:08,593][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:36:08,593][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:36:08,613][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:36:08,613][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:36:08,613][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:36:08,662][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:36:08,662][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:36:08,662][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:36:09,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:09,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:09,733][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:11,715][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:11,716][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:12,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:12,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:12,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25290
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20106
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25221
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25241
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25290
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20106
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25221
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25241
[2024-02-25T03:36:13,372][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:13,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:13,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:13,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:13,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:13,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:13,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:36:13,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:13,478][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:36:13,478][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:36:13,478][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:36:15,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:15,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:15,729][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:16,556][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.055649802S`)
[2024-02-25T03:36:16,556][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.055695003S`)
[2024-02-25T03:36:16,556][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.055728604S`)
[2024-02-25T03:36:16,556][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.055724604S`)
[2024-02-25T03:36:16,556][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.055707103S`)
[2024-02-25T03:36:16,721][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:16,726][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20289
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25105
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20220
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20240
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20289
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25105
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20220
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20240
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:18,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:18,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:18,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:18,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:18,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:18,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:36:18,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:18,593][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:36:18,594][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:36:18,594][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:36:18,613][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:36:18,613][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:36:18,614][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:36:18,662][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:36:18,663][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:36:18,663][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:36:18,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:18,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:18,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:21,559][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.055595216S`)
[2024-02-25T03:36:21,559][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.055652418S`)
[2024-02-25T03:36:21,559][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.055674618S`)
[2024-02-25T03:36:21,559][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.055645416S`)
[2024-02-25T03:36:21,559][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.055625316S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.055608116S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.055591916S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.055588915S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.055575115S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.055553515S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.054479092S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.053283366S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.053397068S`)
[2024-02-25T03:36:21,560][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.053388968S`)
[2024-02-25T03:36:21,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:21,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:21,732][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:21,734][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:21,734][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:23,373][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25289
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20104
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25220
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25240
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25289
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20104
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25220
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25240
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:36:23,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:23,478][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:36:23,479][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:36:23,479][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:36:24,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:24,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:24,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:26,563][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.007043328S`)
[2024-02-25T03:36:26,563][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.006968227S`)
[2024-02-25T03:36:26,563][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.006929526S`)
[2024-02-25T03:36:26,563][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.053581887S`)
[2024-02-25T03:36:26,563][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.053599488S`)
[2024-02-25T03:36:26,739][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:26,740][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:27,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:27,492][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:36:27.492515543Z], remaining: [20] secs
[2024-02-25T03:36:27,492][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:36:27.492858050Z], remaining: [20] secs
[2024-02-25T03:36:27,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:27,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:27,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:28,093][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:36:28,101][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313440296//1261835
[2024-02-25T03:36:28,101][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313440296//1261835
[2024-02-25T03:36:28,101][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 5277 bytes.
[2024-02-25T03:36:28,152][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:36:28.100534432Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:51+00:00\", \"time\": \"2024-02-25T03:35:51+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.207\",\"clientPort\":36104,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=97806&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=97806&no=0&space=0&type=0\",\"userAge
nt\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":366,\"sentBytes\":3357,\"connectionSerialNumber\":509411,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.067,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d0b1b81110a4fbd6f2a056fbe371323b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"22838\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:53+00:00\", \"time\": \"2024-02-25T03:35:53+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":33110,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&re
v=1&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509414,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"c90cd58c798c54
bf2a9546eba924d4cf\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:35:55+00:00\", \"time\": \"2024-02-
25T03:35:55+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.19\",\"clientPort\":28584,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&re
v=1&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":7661,\"connectionSerialNumber\":509415,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.053,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"90d01d91f0d170fe1b5f723d3a5c5fe2\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"22838\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:35:51+00:00\", \"time\": \"2024-02-
25T03:35:51+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.207\",\"clientPort\":36104,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=97806&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=97806&no=0&space=0&type=0\",\"userAge
nt\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":366,\"sentBytes\":3357,\"connectionSerialNumber\":509411,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.067,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d0b1b81110a4fbd6f2a056fbe371323b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"22838\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:53+00:00\", \"time\": \"2024-02-25T03:35:53+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":33110,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&re
v=1&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509414,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"c90cd58c798c54
bf2a9546eba924d4cf\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:35:55+00:00\", \"time\": \"2024-02-
25T03:35:55+00:00\",
\"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.19\",\"clientPort\":28584,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&re
v=1&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":7661,\"connectionSerialNumber\":509415,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.053,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"90d01d91f0d170fe1b5f723d3a5c5fe2\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"22838\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:36:28,154][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:35:51+00:00", "timeStamp"=>"2024-02-25T03:35:51+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>36104,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.67e-1,
"transactionId"=>"d0b1b81110a4fbd6f2a056fbe371323b", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=all&namber=97806&no=0&space=0&type=0", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"85.208.96.207", "httpStatus"=>200,
"sentBytes"=>3357, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509411, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>366,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=all&namber=97806&no=0&space=0&type=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"22838",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:35:53+00:00",
"timeStamp"=>"2024-02-25T03:35:53+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>33110, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"c90cd58c798c54bf2a9546eba924d4cf",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.5",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509414, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:35:55+00:00", "timeStamp"=>"2024-02-25T03:35:55+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>28584,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.53e-1,
"transactionId"=>"90d01d91f0d170fe1b5f723d3a5c5fe2", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"185.191.171.19",
"httpStatus"=>200, "sentBytes"=>7661,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509415, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"22838",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.052"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:36:28.100534432Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:35:51+00:00\", \"time\": \"2024-02-25T03:35:51+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.207\",\"clientPort\":36104,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=97806&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=97806&no=0&space=0&type=0\",\"userAge
nt\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":366,\"sentBytes\":3357,\"connectionSerialNumber\":509411,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.067,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d0b1b81110a4fbd6f2a056fbe371323b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"22838\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:53+00:00\", \"time\": \"2024-02-25T03:35:53+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":33110,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&re
v=1&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509414,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"c90cd58c798c54
bf2a9546eba924d4cf\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:35:55+00:00\", \"time\": \"2024-02-
25T03:35:55+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\":
\"ApplicationGatewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"pro
perties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.19\",\"clientPort\":28584,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&re
v=1&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":7661,\"connectionSerialNumber\":509415,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.053,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"90d01d91f0d170fe1b5f723d3a5c5fe2\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"22838\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:35:51+00:00\", \"time\": \"2024-02-
25T03:35:51+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.207\",\"clientPort\":36104,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=97806&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=97806&no=0&space=0&type=0\",\"userAge
nt\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":366,\"sentBytes\":3357,\"connectionSerialNumber\":509411,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.067,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d0b1b81110a4fbd6f2a056fbe371323b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"22838\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:35:53+00:00\", \"time\": \"2024-02-25T03:35:53+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":33110,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&re
v=1&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509414,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"c90cd58c798c54
bf2a9546eba924d4cf\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:35:55+00:00\", \"time\": \"2024-02-
25T03:35:55+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.19\",\"clientPort\":28584,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&re
v=1&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":7661,\"connectionSerialNumber\":509415,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.053,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"90d01d91f0d170fe1b5f723d3a5c5fe2\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"22838\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:36:28,157][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:51+00:00", "timeStamp"=>"2024-02-
25T03:35:51+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>36104,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.67e-1,
"transactionId"=>"d0b1b81110a4fbd6f2a056fbe371323b", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=all&namber=97806&no=0&space=0&type=0", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"85.208.96.207", "httpStatus"=>200,
"sentBytes"=>3357, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509411, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>366,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=all&namber=97806&no=0&space=0&type=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"22838",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:36:28,158][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:53+00:00", "timeStamp"=>"2024-02-
25T03:35:53+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>33110, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"c90cd58c798c54bf2a9546eba924d4cf", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.5",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509414, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:36:28,158][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:35:55+00:00", "timeStamp"=>"2024-02-
25T03:35:55+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>28584,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.53e-1,
"transactionId"=>"90d01d91f0d170fe1b5f723d3a5c5fe2", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"185.191.171.19",
"httpStatus"=>200, "sentBytes"=>7661,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509415, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=136200&mode=al2&namber=5789364&no=0&page=0&rev=1&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"22838",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.052"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:36:28,173][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>41234, :content_length=>3656, :batch_offset=>0}
[2024-02-25T03:36:28,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:28,374][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20289
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25104
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20219
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20239
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20288
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25104
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20219
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20239
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:36:28,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:28,594][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:36:28,594][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:36:28,594][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:36:28,614][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:36:28,614][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:36:28,614][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:36:28,661][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - schedule operation timer, current:
[2024-02-25T03:36:28.661896032Z], remaining: [60] secs
[2024-02-25T03:36:28,663][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:36:28,663][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:36:28,663][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:36:30,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:30,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:30,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:31,565][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.00662362S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.006886425S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.007035328S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.006824924S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.006760022S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.006751323S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.006742723S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.006772323S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.006768623S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.006778123S`)
[2024-02-25T03:36:31,566][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.006832824S`)
[2024-02-25T03:36:31,567][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.006861125S`)
[2024-02-25T03:36:31,567][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.006862024S`)
[2024-02-25T03:36:31,567][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.006854625S`)
[2024-02-25T03:36:31,567][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.006686822S`)
[2024-02-25T03:36:31,567][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.00664682S`)
[2024-02-25T03:36:31,746][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:31,746][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:32,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:32,744][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - schedule operation timer, current:
[2024-02-25T03:36:32.744503674Z], remaining: [60] secs
[2024-02-25T03:36:33,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:33,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25288
[2024-02-25T03:36:33,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20104
[2024-02-25T03:36:33,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25219
[2024-02-25T03:36:33,375][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25239
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25287
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20103
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25218
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25238
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:36:33,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:33,479][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:36:33,479][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:36:33,479][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:36:33,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:33,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:33,728][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:36,570][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.006877226S`)
[2024-02-25T03:36:36,570][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.007045129S`)
[2024-02-25T03:36:36,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:36,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:36,732][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:36,752][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:36,753][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:37,728][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:36:37,730][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313445640//1261836
[2024-02-25T03:36:37,730][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313445640//1261836
[2024-02-25T03:36:37,730][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 1450 bytes.
[2024-02-25T03:36:37,781][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:36:37.729863954Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:08+00:00\", \"time\": \"2024-02-25T03:36:08+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15400\",\"requestUri\":\"\\/00\\/
S5YA15400\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":753,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e26b9b709a1451
a58c4db8264884eb10\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:08+00:00\", \"time\": \"2024-02-25T03:36:08+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15400\",\"requestUri\":\"\\/00\\/
S5YA15400\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":753,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e26b9b709a1451
a58c4db8264884eb10\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:36:37,782][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:36:08+00:00", "timeStamp"=>"2024-02-25T03:36:08+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"e26b9b709a1451a58c4db8264884eb10",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15400",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15400",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>753,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}], "@timestamp"=>2024-02-
25T03:36:37.729863954Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:08+00:00\", \"time\": \"2024-02-25T03:36:08+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15400\",\"requestUri\":\"\\/00\\/
S5YA15400\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":753,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e26b9b709a1451
a58c4db8264884eb10\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:08+00:00\", \"time\": \"2024-02-25T03:36:08+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15400\",\"requestUri\":\"\\/00\\/
S5YA15400\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":753,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e26b9b709a1451
a58c4db8264884eb10\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:36:37,783][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:08+00:00", "timeStamp"=>"2024-02-
25T03:36:08+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"e26b9b709a1451a58c4db8264884eb10",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15400",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15400",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>753,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:36:37,793][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>5096, :content_length=>1535, :batch_offset=>0}
[2024-02-25T03:36:38,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:38,376][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20286
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25102
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20217
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20237
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:38,377][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20286
[2024-02-25T03:36:38,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25101
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20210
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20230
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 7
[2024-02-25T03:36:38,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:38,594][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:36:38,595][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:36:38,595][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:36:38,614][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:36:38,614][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:36:38,614][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:36:38,663][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:36:38,664][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:36:38,664][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:36:38,975][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:36:38.975785065Z], remaining: [60] secs
[2024-02-25T03:36:39,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:39,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:39,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:41,765][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:41,765][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:42,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:42,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:42,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25286
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20101
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25217
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25236
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:36:43,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:43,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:43,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25280
[2024-02-25T03:36:43,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20095
[2024-02-25T03:36:43,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25211
[2024-02-25T03:36:43,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25230
[2024-02-25T03:36:43,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:43,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:43,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:43,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:43,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:43,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:43,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:36:43,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:43,479][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:36:43,479][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:36:43,480][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:36:43,905][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:36:43,909][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336240944//1261933
[2024-02-25T03:36:43,909][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336240944//1261933
[2024-02-25T03:36:43,909][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 4801 bytes.
[2024-02-25T03:36:43,909][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - schedule operation timer, current:
[2024-02-25T03:36:43.909426748Z], remaining: [60] secs
[2024-02-25T03:36:43,960][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:36:43.908149221Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:11+00:00\", \"time\": \"2024-02-25T03:36:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":44468,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space=15\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space
=15\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":381,\"sentBytes\":507,\"connectionSerialNumber\":509440,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"f2be6da4728107
5b5457460151f83902\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:36:11+00:00\", \"time\": \"2024-02-
25T03:36:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.166.95\",\"clientPort\":37533,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=31872&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=31872&page&no=0\",\"userAgent\":\"Moz
illa\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":560,\"sentBytes\":487,\"connectionSerialNumber\":509441,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6a654976002ea6
43bf762fb5cc0b6cfe\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:36:17+00:00\", \"time\": \"2024-02-
25T03:36:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.3\",\"clientPort\":28522,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=19897&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=19897&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509443,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"df93a9d783649482c262e0dc1eda14f4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:36:11+00:00\", \"time\": \"2024-02-
25T03:36:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":44468,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space=15\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space
=15\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":381,\"sentBytes\":507,\"connectionSerialNumber\":509440,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"f2be6da4728107
5b5457460151f83902\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:36:11+00:00\", \"time\": \"2024-02-
25T03:36:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.166.95\",\"clientPort\":37533,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=31872&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=31872&page&no=0\",\"userAgent\":\"Moz
illa\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":560,\"sentBytes\":487,\"connectionSerialNumber\":509441,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6a654976002ea6
43bf762fb5cc0b6cfe\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:36:17+00:00\", \"time\": \"2024-02-
25T03:36:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.3\",\"clientPort\":28522,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=19897&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=19897&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\"
:\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509443,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"df93a9d783649482c262e0dc1eda14f4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:36:43,962][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:36:11+00:00", "timeStamp"=>"2024-02-25T03:36:11+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>44468, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"f2be6da47281075b5457460151f83902",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space=15", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"185.191.171.5", "httpStatus"=>301,
"sentBytes"=>507, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509440, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>381,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space=15",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:36:11+00:00", "timeStamp"=>"2024-02-25T03:36:11+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>37533, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"6a654976002ea643bf762fb5cc0b6cfe",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=31872&page&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"114.119.166.95", "httpStatus"=>301, "sentBytes"=>487,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509441, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>560,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=31872&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:36:17+00:00", "timeStamp"=>"2024-02-25T03:36:17+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>28522,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"df93a9d783649482c262e0dc1eda14f4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=19897&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.3", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509443, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=19897&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"41284",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:36:43.908149221Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:11+00:00\", \"time\": \"2024-02-25T03:36:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":44468,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space=15\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space
=15\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":381,\"sentBytes\":507,\"connectionSerialNumber\":509440,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"f2be6da4728107
5b5457460151f83902\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:36:11+00:00\", \"time\": \"2024-02-
25T03:36:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.166.95\",\"clientPort\":37533,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=31872&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=31872&page&no=0\",\"userAgent\":\"Moz
illa\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":560,\"sentBytes\":487,\"connectionSerialNumber\":509441,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6a654976002ea6
43bf762fb5cc0b6cfe\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:36:17+00:00\", \"time\": \"2024-02-
25T03:36:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.3\",\"clientPort\":28522,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=19897&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=19897&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509443,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/Applic
ationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"df93a9d783649482c262e0dc1eda14f4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:36:11+00:00\", \"time\": \"2024-02-
25T03:36:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":44468,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space=15\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space
=15\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":381,\"sentBytes\":507,\"connectionSerialNumber\":509440,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"f2be6da4728107
5b5457460151f83902\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:36:11+00:00\", \"time\": \"2024-02-
25T03:36:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.166.95\",\"clientPort\":37533,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=31872&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=31872&page&no=0\",\"userAgent\":\"Moz
illa\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":560,\"sentBytes\":487,\"connectionSerialNumber\":509441,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6a654976002ea6
43bf762fb5cc0b6cfe\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:36:17+00:00\", \"time\": \"2024-02-
25T03:36:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.3\",\"clientPort\":28522,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=19897&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=19897&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509443,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"df93a9d783649482c262e0dc1eda14f4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:36:43,963][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:11+00:00", "timeStamp"=>"2024-02-
25T03:36:11+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>44468, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"f2be6da47281075b5457460151f83902", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space=15", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"185.191.171.5", "httpStatus"=>301,
"sentBytes"=>507, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509440, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>381,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=7564&mode=res&namber=148995&no=0&page=0&space=15",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:36:43,963][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:11+00:00", "timeStamp"=>"2024-02-
25T03:36:11+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>37533, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"6a654976002ea643bf762fb5cc0b6cfe", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=31872&page&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"114.119.166.95", "httpStatus"=>301, "sentBytes"=>487,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509441, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>560,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=31872&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:36:43,964][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:17+00:00", "timeStamp"=>"2024-02-
25T03:36:17+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>28522,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"df93a9d783649482c262e0dc1eda14f4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=19897&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.3", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509443, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=19897&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"41284",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:36:43,985][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>37694, :content_length=>3447, :batch_offset=>0}
[2024-02-25T03:36:45,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:45,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:45,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:46,575][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.051681372S`)
[2024-02-25T03:36:46,575][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.051671472S`)
[2024-02-25T03:36:46,575][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.051657872S`)
[2024-02-25T03:36:46,575][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.051663372S`)
[2024-02-25T03:36:46,575][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.051650772S`)
[2024-02-25T03:36:46,771][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:46,771][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:47,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:48,372][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:36:48.372028776Z], remaining: [49] secs
[2024-02-25T03:36:48,372][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:36:48.372362985Z], remaining: [49] secs
[2024-02-25T03:36:48,378][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20286
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25101
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20216
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20235
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:36:48,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20279
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25095
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20210
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20229
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:48,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:48,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:36:48,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:48,595][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:36:48,595][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:36:48,595][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:36:48,615][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:36:48,615][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:36:48,615][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:36:48,664][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:36:48,664][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:36:48,664][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:36:48,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:48,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:48,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:51,578][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.051436182S`)
[2024-02-25T03:36:51,578][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.051099976S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.051078176S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.051069676S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.051046176S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.051037676S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.051033876S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.051028576S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.050919475S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.050943176S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.050994878S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.050993478S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.050989678S`)
[2024-02-25T03:36:51,579][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.050970278S`)
[2024-02-25T03:36:51,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:51,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:51,730][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:51,782][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:51,782][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:52,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:53,124][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is processing a batch of
size 1.
[2024-02-25T03:36:53,133][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Saving checkpoint: 6725945905288//1542267
[2024-02-25T03:36:53,134][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: updateCheckpoint() 6725945905288//1542267
[2024-02-25T03:36:53,134][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 finished processing a batch
of 2067 bytes.
[2024-02-25T03:36:53,134][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - schedule operation timer, current:
[2024-02-25T03:36:53.134156811Z], remaining: [60] secs
[2024-02-25T03:36:53,184][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:36:53.126703800Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:20+00:00\", \"time\": \"2024-02-25T03:36:20+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36299,\"sentBytes\":138572,\"connectionSerialNumber\":53552
1,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.072,\"W
AFEvaluationTime\":\"0.016\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"d8fd033ab2b4ebbcdc53cc173fd00086\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:20+00:00\", \"time\": \"2024-02-25T03:36:20+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36299,\"sentBytes\":138572,\"connectionSerialNumber\":53552
1,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.072,\"W
AFEvaluationTime\":\"0.016\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"d8fd033ab2b4ebbcdc53cc173fd00086\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}}]}"}}}
[2024-02-25T03:36:53,185][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:36:20+00:00", "timeStamp"=>"2024-02-25T03:36:20+00:00",
"backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62280, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.72e-1,
"transactionId"=>"d8fd033ab2b4ebbcdc53cc173fd00086", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.016",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>138572, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535521, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"yazure-ag.yokogawa.com",
"sslEnabled"=>"on", "receivedBytes"=>36299, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"24746", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.040"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog", "ruleName"=>"APG02_RoutingRule01"}],
"@timestamp"=>2024-02-25T03:36:53.126703800Z, "message"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:36:20+00:00\", \"time\": \"2024-02-
25T03:36:20+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_
RoutingRule01\", \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36299,\"sentBytes\":138572,\"connectionSerialNumber\":53552
1,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.072,\"W
AFEvaluationTime\":\"0.016\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"d8fd033ab2b4ebbcdc53cc173fd00086\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:20+00:00\", \"time\": \"2024-02-25T03:36:20+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36299,\"sentBytes\":138572,\"connectionSerialNumber\":53552
1,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.072,\"W
AFEvaluationTime\":\"0.016\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"d8fd033ab2b4ebbcdc53cc173fd00086\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}}]}"}}}
[2024-02-25T03:36:53,186][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:20+00:00", "timeStamp"=>"2024-02-
25T03:36:20+00:00", "backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62280, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.72e-1,
"transactionId"=>"d8fd033ab2b4ebbcdc53cc173fd00086", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.016",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>138572, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535521, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"yazure-ag.yokogawa.com",
"sslEnabled"=>"on", "receivedBytes"=>36299, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"24746", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.040"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule01"}, :field=>"records"}
[2024-02-25T03:36:53,189][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>6977, :content_length=>1930, :batch_offset=>0}
[2024-02-25T03:36:53,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:53,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25285
[2024-02-25T03:36:53,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20101
[2024-02-25T03:36:53,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25216
[2024-02-25T03:36:53,379][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25236
[2024-02-25T03:36:53,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:53,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:53,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:53,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:53,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:53,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:53,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:36:53,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25278
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20094
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25209
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25229
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:36:53,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:53,480][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:36:53,480][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:36:53,480][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:36:54,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:54,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:54,723][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:56,581][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.006638728S`)
[2024-02-25T03:36:56,582][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.00662933S`)
[2024-02-25T03:36:56,582][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.00664773S`)
[2024-02-25T03:36:56,582][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.050436257S`)
[2024-02-25T03:36:56,582][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.050457759S`)
[2024-02-25T03:36:56,790][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:36:56,790][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:36:56,901][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:36:56,910][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336245816//1261934
[2024-02-25T03:36:56,910][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336245816//1261934
[2024-02-25T03:36:56,910][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 1451 bytes.
[2024-02-25T03:36:56,961][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:36:56.902800658Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:26+00:00\", \"time\": \"2024-02-25T03:36:26+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15400\",\"requestUri\":\"\\/00\\/
S5YA15400\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"40ab4c8238c94
78f173de95f614d35de\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:26+00:00\", \"time\": \"2024-02-25T03:36:26+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15400\",\"requestUri\":\"\\/00\\/
S5YA15400\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"40ab4c8238c94
78f173de95f614d35de\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:36:56,962][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:36:26+00:00", "timeStamp"=>"2024-02-25T03:36:26+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"40ab4c8238c9478f173de95f614d35de",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15400",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15400",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}], "@timestamp"=>2024-02-
25T03:36:56.902800658Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:26+00:00\", \"time\": \"2024-02-25T03:36:26+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15400\",\"requestUri\":\"\\/00\\/
S5YA15400\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"40ab4c8238c94
78f173de95f614d35de\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:26+00:00\", \"time\": \"2024-02-25T03:36:26+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15400\",\"requestUri\":\"\\/00\\/
S5YA15400\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"40ab4c8238c94
78f173de95f614d35de\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:36:56,962][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:26+00:00", "timeStamp"=>"2024-02-
25T03:36:26+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"40ab4c8238c9478f173de95f614d35de",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15400",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15400",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:36:56,966][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>5099, :content_length=>1536, :batch_offset=>0}
[2024-02-25T03:36:57,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:36:57,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:36:57,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:36:57,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:36:58,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:36:58,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20284
[2024-02-25T03:36:58,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25100
[2024-02-25T03:36:58,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20215
[2024-02-25T03:36:58,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20235
[2024-02-25T03:36:58,380][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:58,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:36:58,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:58,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:58,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:36:58,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:58,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:36:58,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:36:58,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:36:58,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20278
[2024-02-25T03:36:58,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25094
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20208
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20228
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:36:58,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:36:58,595][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:36:58,595][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:36:58,596][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:36:58,615][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:36:58,615][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:36:58,615][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:36:58,664][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:36:58,664][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:36:58,665][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:37:00,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:00,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:00,730][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:01,585][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.006833413S`)
[2024-02-25T03:37:01,585][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.00707292S`)
[2024-02-25T03:37:01,585][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.007126822S`)
[2024-02-25T03:37:01,585][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.006929617S`)
[2024-02-25T03:37:01,585][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.006887115S`)
[2024-02-25T03:37:01,585][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.006874915S`)
[2024-02-25T03:37:01,585][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.006864815S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.006855914S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.006848514S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.006841514S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.006719511S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.00667091S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.006604907S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.006601707S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.006594907S`)
[2024-02-25T03:37:01,586][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.006587807S`)
[2024-02-25T03:37:01,798][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:01,799][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:03,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:03,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25283
[2024-02-25T03:37:03,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20099
[2024-02-25T03:37:03,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25214
[2024-02-25T03:37:03,381][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25234
[2024-02-25T03:37:03,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:03,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:03,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:03,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:03,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:03,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:03,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:37:03,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25277
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20093
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25208
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25228
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:03,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:03,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:37:03,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:03,480][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:37:03,480][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:37:03,481][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:37:03,734][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:03,734][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:03,736][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:06,589][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.006432503S`)
[2024-02-25T03:37:06,589][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.006747912S`)
[2024-02-25T03:37:06,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:06,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:06,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:06,811][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:06,811][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:07,705][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:37:07,711][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313447160//1261837
[2024-02-25T03:37:07,711][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313447160//1261837
[2024-02-25T03:37:07,711][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 3696 bytes.
[2024-02-25T03:37:07,760][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:37:07.708147948Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:31+00:00\", \"time\": \"2024-02-25T03:36:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.10\",\"clientPort\":53368,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=82867&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=82867&no=0&space=0&type=0\",\"userAge
nt\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":366,\"sentBytes\":3357,\"connectionSerialNumber\":509447,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"b933553de6b730996d9ea1d160c4e810\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:36:38+00:00\", \"time\": \"2024-02-25T03:36:38+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.10\",\"clientPort\":53390,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=39219&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=39219&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509450,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4e293b86e32eea728178c80566b0ff0b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:36:31+00:00\", \"time\": \"2024-02-
25T03:36:31+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.10\",\"clientPort\":53368,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=82867&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=82867&no=0&space=0&type=0\",\"userAge
nt\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":366,\"sentBytes\":3357,\"connectionSerialNumber\":509447,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"b933553de6b730996d9ea1d160c4e810\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:36:38+00:00\", \"time\": \"2024-02-25T03:36:38+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.10\",\"clientPort\":53390,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=39219&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=39219&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509450,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4e293b86e32eea728178c80566b0ff0b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:07,761][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:36:31+00:00", "timeStamp"=>"2024-02-25T03:36:31+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>53368,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.62e-1,
"transactionId"=>"b933553de6b730996d9ea1d160c4e810", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=all&namber=82867&no=0&space=0&type=0", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"185.191.171.10", "httpStatus"=>200,
"sentBytes"=>3357, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509447, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>366,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=all&namber=82867&no=0&space=0&type=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"41284",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:36:38+00:00",
"timeStamp"=>"2024-02-25T03:36:38+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>53390,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.63e-1,
"transactionId"=>"4e293b86e32eea728178c80566b0ff0b", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=39219&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.10", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509450, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=39219&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"41284",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:37:07.708147948Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:31+00:00\", \"time\": \"2024-02-25T03:36:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.10\",\"clientPort\":53368,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=82867&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=82867&no=0&space=0&type=0\",\"userAge
nt\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":366,\"sentBytes\":3357,\"connectionSerialNumber\":509447,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"b933553de6b730996d9ea1d160c4e810\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:36:38+00:00\", \"time\": \"2024-02-25T03:36:38+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.10\",\"clientPort\":53390,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=39219&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=39219&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509450,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4e293b86e32eea728178c80566b0ff0b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:36:31+00:00\", \"time\": \"2024-02-
25T03:36:31+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.10\",\"clientPort\":53368,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=82867&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=82867&no=0&space=0&type=0\",\"userAge
nt\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":366,\"sentBytes\":3357,\"connectionSerialNumber\":509447,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"b933553de6b730996d9ea1d160c4e810\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverR
outed\":\"10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.06
0\",\"upstreamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"hos
t\":\"rep.jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:36:38+00:00\", \"time\": \"2024-02-25T03:36:38+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.10\",\"clientPort\":53390,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=39219&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=39219&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509450,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4e293b86e32eea728178c80566b0ff0b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"41284\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:07,762][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:31+00:00", "timeStamp"=>"2024-02-
25T03:36:31+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>53368,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.62e-1,
"transactionId"=>"b933553de6b730996d9ea1d160c4e810", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=all&namber=82867&no=0&space=0&type=0", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"185.191.171.10", "httpStatus"=>200,
"sentBytes"=>3357, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509447, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>366,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=all&namber=82867&no=0&space=0&type=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"41284",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:07,762][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:38+00:00", "timeStamp"=>"2024-02-
25T03:36:38+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>53390,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.63e-1,
"transactionId"=>"4e293b86e32eea728178c80566b0ff0b", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=39219&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.10", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509450, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=39219&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"41284",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:07,773][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>20596, :content_length=>2483, :batch_offset=>0}
[2024-02-25T03:37:08,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:08,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20282
[2024-02-25T03:37:08,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25098
[2024-02-25T03:37:08,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20213
[2024-02-25T03:37:08,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20233
[2024-02-25T03:37:08,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:08,382][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:08,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:08,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:08,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:08,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:08,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:37:08,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20276
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25092
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20207
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20227
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:08,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:37:08,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:08,596][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:37:08,596][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:37:08,596][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:37:08,615][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:37:08,616][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:37:08,616][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:37:08,665][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:37:08,665][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:37:08,665][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:37:09,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:09,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:09,733][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:11,815][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:11,816][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:12,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:12,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:12,733][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25282
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20097
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25213
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25233
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:13,383][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:13,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:37:13,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25276
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20091
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25207
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25227
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:37:13,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:13,481][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:37:13,481][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:37:13,481][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:37:14,447][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:37:14,450][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336247336//1261935
[2024-02-25T03:37:14,450][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336247336//1261935
[2024-02-25T03:37:14,450][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 1843 bytes.
[2024-02-25T03:37:14,501][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:37:14.449125129Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:41+00:00\", \"time\": \"2024-02-25T03:36:41+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.197\",\"clientPort\":8212,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=30581&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=30581&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509921,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4181c0c665fcd24c57018419c6c7bad9\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"58612\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:36:41+00:00\", \"time\": \"2024-02-
25T03:36:41+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.197\",\"clientPort\":8212,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=30581&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=30581&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509921,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4181c0c665fcd24c57018419c6c7bad9\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"58612\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:14,502][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:36:41+00:00", "timeStamp"=>"2024-02-25T03:36:41+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>8212,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.65e-1,
"transactionId"=>"4181c0c665fcd24c57018419c6c7bad9", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=30581&no=0&page", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"85.208.96.197", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509921, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=30581&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"58612",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:37:14.449125129Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:36:41+00:00\", \"time\": \"2024-02-25T03:36:41+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.197\",\"clientPort\":8212,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=30581&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=30581&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509921,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4181c0c665fcd24c57018419c6c7bad9\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"58612\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:36:41+00:00\", \"time\": \"2024-02-
25T03:36:41+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.197\",\"clientPort\":8212,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=30581&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=30581&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509921,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4181c0c665fcd24c57018419c6c7bad9\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"58612\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:14,503][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:36:41+00:00", "timeStamp"=>"2024-02-
25T03:36:41+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>8212,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.65e-1,
"transactionId"=>"4181c0c665fcd24c57018419c6c7bad9", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=30581&no=0&page", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"85.208.96.197", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509921, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=30581&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"58612",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:14,506][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>6339, :content_length=>1882, :batch_offset=>0}
[2024-02-25T03:37:15,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:15,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:15,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:16,593][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.037774151S`)
[2024-02-25T03:37:16,594][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.037687552S`)
[2024-02-25T03:37:16,594][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.03762745S`)
[2024-02-25T03:37:16,594][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.037629251S`)
[2024-02-25T03:37:16,594][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.037635551S`)
[2024-02-25T03:37:16,826][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:16,826][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20281
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25097
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20212
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20232
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:18,384][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:37:18,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:18,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:18,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20276
[2024-02-25T03:37:18,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25092
[2024-02-25T03:37:18,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20207
[2024-02-25T03:37:18,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20227
[2024-02-25T03:37:18,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:18,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:18,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:18,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:18,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:18,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:18,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:37:18,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:18,596][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:37:18,596][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:37:18,597][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:37:18,616][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:37:18,616][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:37:18,616][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:37:18,665][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:37:18,665][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:37:18,665][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:37:18,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:18,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:18,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:21,596][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.037379786S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.037309384S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.037277683S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.037329185S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.037475688S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.037483189S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.037477088S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.037457288S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.037457388S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.037449588S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.037631391S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.037679693S`)
[2024-02-25T03:37:21,597][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.03751949S`)
[2024-02-25T03:37:21,598][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.037482688S`)
[2024-02-25T03:37:21,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:21,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:21,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:21,836][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:21,837][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25280
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20096
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25211
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25231
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:37:23,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25275
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20091
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25206
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25226
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:23,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:23,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:37:23,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:23,481][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:37:23,481][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:37:23,481][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:37:24,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:24,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:24,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:26,600][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.00712128S`)
[2024-02-25T03:37:26,601][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.007101578S`)
[2024-02-25T03:37:26,601][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.007095278S`)
[2024-02-25T03:37:26,601][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.037772502S`)
[2024-02-25T03:37:26,601][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.037747401S`)
[2024-02-25T03:37:26,849][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:26,849][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:27,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:27,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:27,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:27,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:28,385][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20279
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25095
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20210
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20230
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:37:28,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20274
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25090
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20205
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20225
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:37:28,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:28,597][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:37:28,597][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:37:28,597][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:37:28,616][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:37:28,616][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:37:28,616][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:37:28,662][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - Reschedule operation timer,
current: [2024-02-25T03:37:28.662805443Z], remaining: [24] secs
[2024-02-25T03:37:28,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:37:28,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:37:28,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:37:30,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:30,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:30,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:31,603][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.006856438S`)
[2024-02-25T03:37:31,603][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.007070743S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.007171944S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.007012941S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.006979741S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.00692924S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.006775637S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.006846237S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.006884939S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.006910539S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.006913239S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.006915339S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.006724935S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.006672034S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.006660533S`)
[2024-02-25T03:37:31,604][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.006652434S`)
[2024-02-25T03:37:31,855][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:31,855][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:32,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:32,744][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:37:32.744673834Z], remaining: [41] secs
[2024-02-25T03:37:33,386][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25279
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20094
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25210
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25229
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:37:33,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:33,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:33,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25275
[2024-02-25T03:37:33,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20090
[2024-02-25T03:37:33,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25206
[2024-02-25T03:37:33,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25225
[2024-02-25T03:37:33,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:33,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:33,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:33,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:33,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:33,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:33,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:37:33,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:33,482][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:37:33,482][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:37:33,482][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:37:33,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:33,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:33,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:33,917][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:37:33,925][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313450928//1261838
[2024-02-25T03:37:33,926][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313450928//1261838
[2024-02-25T03:37:33,926][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 8440 bytes.
[2024-02-25T03:37:33,978][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:37:33.924763417Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:00+00:00\", \"time\": \"2024-02-25T03:37:00+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15401\",\"requestUri\":\"\\/00\\/
S5YA15401\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":4,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"003fa625d45bc
885c9b712e7fedd14b6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:01+00:00\", \"time\": \"2024-02-
25T03:37:01+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.201\",\"clientPort\":7608,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=2184&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=2184&no=0&page\",\"userAgent\":\"Mozi
lla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":355,\"sentBytes\":5971,\"connectionSerialNumber\":509471,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.07,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c2193f0618fa8d1eda1155663ae74360\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:03+00:00\", \"time\": \"2024-02-25T03:37:03+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.173.185.166\",\"clientPort\":34432,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Macintosh; Intel Mac OS X 12.5; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":522,\"sentBytes\":482,\"connectionSerialNumber\":509473,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"04e4fe0e5fa665
e20bb4c64559802ca4\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:04+00:00\", \"time\": \"2024-02-
25T03:37:04+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.11\",\"clientPort\":41932,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&space=240\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&spa
ce=240\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":6528,\"connectionSerialNumber\":509474,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.004,\"timeTaken\":0.048,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"9fd94e60642cf7c756c274bc69cdf9aa\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.048\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:04+00:00\", \"time\": \"2024-02-25T03:37:04+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.173.185.166\",\"clientPort\":34016,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Macintosh; Intel Mac OS X 12.5; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":506,\"sentBytes\":7988,\"connectionSerialNumber\":509475,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.057,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"a44e54285f3871bcc87050430e5d4486\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:00+00:00\", \"time\": \"2024-02-
25T03:37:00+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-Redirect\",
\"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15401\",\"requestUri\":\"\\/00\\/
S5YA15401\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":4,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"003fa625d45bc
885c9b712e7fedd14b6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:01+00:00\", \"time\": \"2024-02-
25T03:37:01+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.201\",\"clientPort\":7608,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=2184&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=2184&no=0&page\",\"userAgent\":\"Mozi
lla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":355,\"sentBytes\":5971,\"connectionSerialNumber\":509471,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.07,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c2193f0618fa8d1eda1155663ae74360\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:03+00:00\", \"time\": \"2024-02-25T03:37:03+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.173.185.166\",\"clientPort\":34432,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Macintosh; Intel Mac OS X 12.5; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":522,\"sentBytes\":482,\"connectionSerialNumber\":509473,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"04e4fe0e5fa665
e20bb4c64559802ca4\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:04+00:00\", \"time\": \"2024-02-
25T03:37:04+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.11\",\"clientPort\":41932,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&space=240\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&spa
ce=240\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":6528,\"connectionSerialNumber\":509474,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.004,\"timeTaken\":0.048,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"9fd94e60642cf7c756c274bc69cdf9aa\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.048\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:04+00:00\", \"time\": \"2024-02-25T03:37:04+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.173.185.166\",\"clientPort\":34016,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Macintosh; Intel Mac OS X 12.5; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":506,\"sentBytes\":7988,\"connectionSerialNumber\":509475,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.057,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"a44e54285f3871bcc87050430e5d4486\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:33,980][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:37:00+00:00", "timeStamp"=>"2024-02-25T03:37:00+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"003fa625d45bc885c9b712e7fedd14b6",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15401",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15401",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>4,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, {"time"=>"2024-02-
25T03:37:01+00:00", "timeStamp"=>"2024-02-25T03:37:01+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>7608,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.7e-1,
"transactionId"=>"c2193f0618fa8d1eda1155663ae74360", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=2184&no=0&page", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"85.208.96.201", "httpStatus"=>200,
"sentBytes"=>5971, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509471, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>355,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=2184&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"30022",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.068"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:37:03+00:00",
"timeStamp"=>"2024-02-25T03:37:03+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>34432, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"04e4fe0e5fa665e20bb4c64559802ca4",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"107.173.185.166", "httpStatus"=>301, "sentBytes"=>482,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509473, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>522,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=41284&no=0", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0, "userAgent"=>"Mozilla/5.0 (Macintosh; Intel Mac OS X 12.5;
rv:114.0) Gecko/20100101 Firefox/114.0", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:37:04+00:00", "timeStamp"=>"2024-02-25T03:37:04+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>41932,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.48e-1,
"transactionId"=>"9fd94e60642cf7c756c274bc69cdf9aa", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&space=240",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"185.191.171.11",
"httpStatus"=>200, "sentBytes"=>6528,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509474, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>384,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&space=240",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.4e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"30022",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.048"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:37:04+00:00",
"timeStamp"=>"2024-02-25T03:37:04+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>34016,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.57e-1,
"transactionId"=>"a44e54285f3871bcc87050430e5d4486", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0", "WAFEvaluationTime"=>"0.004", "serverStatus"=>"200",
"clientIP"=>"107.173.185.166", "httpStatus"=>200, "sentBytes"=>7988,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509475, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>506,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=41284&no=0", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.6e-2, "userAgent"=>"Mozilla/5.0 (Macintosh; Intel Mac OS X
12.5; rv:114.0) Gecko/20100101 Firefox/114.0", "upstreamSourcePort"=>"30022",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.056"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:37:33.924763417Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:00+00:00\", \"time\": \"2024-02-25T03:37:00+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15401\",\"requestUri\":\"\\/00\\/
S5YA15401\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"conn
ectionSerialNumber\":509422,\"noOfConnectionRequests\":4,\"clientResponseTime\":0,\
"timeTaken\":0,\"WAFEvaluationTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"t
ransactionId\":\"003fa625d45bc885c9b712e7fedd14b6\",\"sslEnabled\":\"on\",\"sslCiph
er\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:01+00:00\", \"time\": \"2024-02-
25T03:37:01+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.201\",\"clientPort\":7608,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=2184&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=2184&no=0&page\",\"userAgent\":\"Mozi
lla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":355,\"sentBytes\":5971,\"connectionSerialNumber\":509471,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.07,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c2193f0618fa8d1eda1155663ae74360\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:03+00:00\", \"time\": \"2024-02-25T03:37:03+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.173.185.166\",\"clientPort\":34432,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Macintosh; Intel Mac OS X 12.5; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":522,\"sentBytes\":482,\"connectionSerialNumber\":509473,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"04e4fe0e5fa665
e20bb4c64559802ca4\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:04+00:00\", \"time\": \"2024-02-
25T03:37:04+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.11\",\"clientPort\":41932,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&space=240\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&spa
ce=240\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":6528,\"connectionSerialNumber\":509474,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.004,\"timeTaken\":0.048,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"9fd94e60642cf7c756c274bc69cdf9aa\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.048\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:04+00:00\", \"time\": \"2024-02-25T03:37:04+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.173.185.166\",\"clientPort\":34016,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Macintosh; Intel Mac OS X 12.5; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":506,\"sentBytes\":7988,\"connectionSerialNumber\":509475,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.057,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"a44e54285f3871bcc87050430e5d4486\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:00+00:00\", \"time\": \"2024-02-
25T03:37:00+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15401\",\"requestUri\":\"\\/00\\/
S5YA15401\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":4,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"003fa625d45bc
885c9b712e7fedd14b6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{
\"timeStamp\": \"2024-02-25T03:37:01+00:00\", \"time\": \"2024-02-
25T03:37:01+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.201\",\"clientPort\":7608,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=2184&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=2184&no=0&page\",\"userAgent\":\"Mozi
lla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":355,\"sentBytes\":5971,\"connectionSerialNumber\":509471,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.07,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c2193f0618fa8d1eda1155663ae74360\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:03+00:00\", \"time\": \"2024-02-25T03:37:03+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.173.185.166\",\"clientPort\":34432,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Macintosh; Intel Mac OS X 12.5; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":522,\"sentBytes\":482,\"connectionSerialNumber\":509473,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"04e4fe0e5fa665
e20bb4c64559802ca4\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:04+00:00\", \"time\": \"2024-02-
25T03:37:04+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.11\",\"clientPort\":41932,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&space=240\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&spa
ce=240\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":6528,\"connectionSerialNumber\":509474,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.004,\"timeTaken\":0.048,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"9fd94e60642cf7c756c274bc69cdf9aa\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.048\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:04+00:00\", \"time\": \"2024-02-25T03:37:04+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"107.173.185.166\",\"clientPort\":34016,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Macintosh; Intel Mac OS X 12.5; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":506,\"sentBytes\":7988,\"connectionSerialNumber\":509475,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.057,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"a44e54285f3871bcc87050430e5d4486\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:33,989][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:00+00:00", "timeStamp"=>"2024-02-
25T03:37:00+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"003fa625d45bc885c9b712e7fedd14b6",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15401",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15401",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>4,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:37:33,989][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:01+00:00", "timeStamp"=>"2024-02-
25T03:37:01+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>7608,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.7e-1,
"transactionId"=>"c2193f0618fa8d1eda1155663ae74360", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=2184&no=0&page", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"85.208.96.201", "httpStatus"=>200,
"sentBytes"=>5971, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509471, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>355,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=2184&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"30022",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.068"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:33,989][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:03+00:00", "timeStamp"=>"2024-02-
25T03:37:03+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>34432, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"04e4fe0e5fa665e20bb4c64559802ca4", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"107.173.185.166", "httpStatus"=>301, "sentBytes"=>482,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509473, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>522,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=41284&no=0", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0, "userAgent"=>"Mozilla/5.0 (Macintosh; Intel Mac OS X 12.5;
rv:114.0) Gecko/20100101 Firefox/114.0", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:37:33,990][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:04+00:00", "timeStamp"=>"2024-02-
25T03:37:04+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>41932,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.48e-1,
"transactionId"=>"9fd94e60642cf7c756c274bc69cdf9aa", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&space=240",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"185.191.171.11",
"httpStatus"=>200, "sentBytes"=>6528,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509474, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>384,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=14769&mode=al2&namber=41284&no=0&page=20&rev=0&space=240",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.4e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"30022",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.048"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:33,990][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:04+00:00", "timeStamp"=>"2024-02-
25T03:37:04+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>34016,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.57e-1,
"transactionId"=>"a44e54285f3871bcc87050430e5d4486", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0", "WAFEvaluationTime"=>"0.004", "serverStatus"=>"200",
"clientIP"=>"107.173.185.166", "httpStatus"=>200, "sentBytes"=>7988,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509475, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>506,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=41284&no=0", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.6e-2, "userAgent"=>"Mozilla/5.0 (Macintosh; Intel Mac OS X
12.5; rv:114.0) Gecko/20100101 Firefox/114.0", "upstreamSourcePort"=>"30022",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.056"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:34,020][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>5, :payload_size=>103627, :content_length=>7568, :batch_offset=>0}
[2024-02-25T03:37:36,606][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.005160301S`)
[2024-02-25T03:37:36,606][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.005311904S`)
[2024-02-25T03:37:36,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:36,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:36,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:36,861][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:36,864][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:37,730][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:37:37.730634324Z], remaining: [56] secs
[2024-02-25T03:37:37,730][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:37:37.730940430Z], remaining: [56] secs
[2024-02-25T03:37:38,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:38,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20279
[2024-02-25T03:37:38,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25095
[2024-02-25T03:37:38,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20210
[2024-02-25T03:37:38,387][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20229
[2024-02-25T03:37:38,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:38,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:38,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:38,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:38,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:38,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:38,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:37:38,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20274
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25090
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20205
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20224
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:37:38,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:38,597][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:37:38,597][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:37:38,597][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:37:38,617][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:37:38,617][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:37:38,617][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:37:38,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:37:38,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:37:38,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:37:38,977][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:37:38.977216048Z], remaining: [60] secs
[2024-02-25T03:37:39,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:39,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:39,729][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:41,870][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:41,870][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:42,576][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:37:42,586][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336249248//1261936
[2024-02-25T03:37:42,586][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336249248//1261936
[2024-02-25T03:37:42,586][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 5178 bytes.
[2024-02-25T03:37:42,637][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:37:42.579281737Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:12+00:00\", \"time\": \"2024-02-25T03:37:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59939,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":371,\"sentBytes\":482,\"connectionSerialNumber\":509951,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"3551b717844cba
a77f3c6c8406157b47\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:13+00:00\", \"time\": \"2024-02-
25T03:37:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59955,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=148995&type=0&space=0&mo=148995&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0)
Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":569,\"sentBytes\":6046,\"connectionSerialNumber\":509953,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c9e230bf02190098ea3a1fd0131a348f\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"39618\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:14+00:00\", \"time\": \"2024-02-25T03:37:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.13\",\"clientPort\":50238,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=18325&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=18325&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509954,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"08947b1bddbdeff66fd1aae1927c421e\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"39618\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:12+00:00\", \"time\": \"2024-02-
25T03:37:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59939,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":371,\"sentBytes\":482,\"connectionSerialNumber\":509951,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"3551b717844cba
a77f3c6c8406157b47\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:13+00:00\", \"time\": \"2024-02-
25T03:37:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59955,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=148995&type=0&space=0&mo=148995&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0)
Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":569,\"sentBytes\":6046,\"connectionSerialNumber\":509953,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c9e230bf02190098ea3a1fd0131a348f\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"39618\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:14+00:00\", \"time\": \"2024-02-25T03:37:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\",
\"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\": \"APG01_RoutingR
ule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\", \"backendSetting
Name\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGatewayAccess\", \"
category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.13\",\"clientPort\":50238,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=18325&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=18325&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509954,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"08947b1bddbdeff66fd1aae1927c421e\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"39618\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:42,640][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:37:12+00:00", "timeStamp"=>"2024-02-25T03:37:12+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>59939, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"3551b717844cbaa77f3c6c8406157b47",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"168.119.122.62", "httpStatus"=>301, "sentBytes"=>482,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509951, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>371,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&namber=41284&no=0", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:114.0) Gecko/20100101 Firefox/114.0", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:37:13+00:00", "timeStamp"=>"2024-02-25T03:37:13+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>59955,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.63e-1,
"transactionId"=>"c9e230bf02190098ea3a1fd0131a348f", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"168.119.122.62",
"httpStatus"=>200, "sentBytes"=>6046,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509953, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>569,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko/20100101
Firefox/114.0", "upstreamSourcePort"=>"39618",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:37:14+00:00",
"timeStamp"=>"2024-02-25T03:37:14+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>50238,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"08947b1bddbdeff66fd1aae1927c421e", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=18325&no=0&page", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"185.191.171.13", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509954, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=18325&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"39618",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.056"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:37:42.579281737Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:12+00:00\", \"time\": \"2024-02-25T03:37:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59939,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":371,\"sentBytes\":482,\"connectionSerialNumber\":509951,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"3551b717844cba
a77f3c6c8406157b47\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:13+00:00\", \"time\": \"2024-02-
25T03:37:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59955,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=148995&type=0&space=0&mo=148995&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0)
Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":569,\"sentBytes\":6046,\"connectionSerialNumber\":509953,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c9e230bf02190098ea3a1fd0131a348f\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"39618\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:14+00:00\", \"time\": \"2024-02-25T03:37:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.13\",\"clientPort\":50238,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/cbbs.cgi?
mode=res&namber=18325&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=18325&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509954,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"08947b1bddbdeff66fd1aae1927c421e\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"39618\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:12+00:00\", \"time\": \"2024-02-
25T03:37:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59939,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":371,\"sentBytes\":482,\"connectionSerialNumber\":509951,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"3551b717844cba
a77f3c6c8406157b47\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:13+00:00\", \"time\": \"2024-02-
25T03:37:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59955,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=148995&type=0&space=0&mo=148995&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0)
Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":569,\"sentBytes\":6046,\"connectionSerialNumber\":509953,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c9e230bf02190098ea3a1fd0131a348f\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"39618\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:14+00:00\", \"time\": \"2024-02-25T03:37:14+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.13\",\"clientPort\":50238,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=18325&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=18325&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509954,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"08947b1bddbdeff66fd1aae1927c421e\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"39618\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:42,641][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:12+00:00", "timeStamp"=>"2024-02-
25T03:37:12+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>59939, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"3551b717844cbaa77f3c6c8406157b47", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"168.119.122.62", "httpStatus"=>301, "sentBytes"=>482,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509951, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>371,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&namber=41284&no=0", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:114.0) Gecko/20100101 Firefox/114.0", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:37:42,641][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:13+00:00", "timeStamp"=>"2024-02-
25T03:37:13+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>59955,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.63e-1,
"transactionId"=>"c9e230bf02190098ea3a1fd0131a348f", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"168.119.122.62",
"httpStatus"=>200, "sentBytes"=>6046,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509953, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>569,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko/20100101
Firefox/114.0", "upstreamSourcePort"=>"39618",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:42,642][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:14+00:00", "timeStamp"=>"2024-02-
25T03:37:14+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>50238,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"08947b1bddbdeff66fd1aae1927c421e", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=18325&no=0&page", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"185.191.171.13", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509954, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=18325&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"39618",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.056"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:42,653][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>40385, :content_length=>3636, :batch_offset=>0}
[2024-02-25T03:37:42,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:42,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:42,725][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25278
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20094
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25209
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25229
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:43,388][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:43,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:37:43,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25273
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20089
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25204
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25224
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:37:43,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:43,482][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:37:43,482][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:37:43,482][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:37:43,910][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:37:43.910241091Z], remaining: [58] secs
[2024-02-25T03:37:45,022][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:37:45,025][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336254496//1261937
[2024-02-25T03:37:45,025][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336254496//1261937
[2024-02-25T03:37:45,025][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 4784 bytes.
[2024-02-25T03:37:45,076][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:37:45.024856255Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:12+00:00\", \"time\": \"2024-02-25T03:37:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59938,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=148995&type=0&space=0&mo=148995&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0)
Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":404,\"sentBytes\":515,\"connectionSerialNumber\":509496,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9c21ad1764a6b7
617b0d27642a414699\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:13+00:00\", \"time\": \"2024-02-
25T03:37:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59954,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":503,\"sentBytes\":7988,\"connectionSerialNumber\":509497,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.058,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"badfd2ecb535506a6047ba001bc6f8db\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:15+00:00\", \"time\": \"2024-02-25T03:37:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15402\",\"requestUri\":\"\\/00\\/
S5YA15402\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":981,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"n
oOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5d0bcc37882caf
b12db76988f01df136\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:12+00:00\", \"time\": \"2024-02-25T03:37:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59938,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=148995&type=0&space=0&mo=148995&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0)
Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":404,\"sentBytes\":515,\"connectionSerialNumber\":509496,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9c21ad1764a6b7
617b0d27642a414699\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:13+00:00\", \"time\": \"2024-02-
25T03:37:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59954,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":503,\"sentBytes\":7988,\"connectionSerialNumber\":509497,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.058,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"badfd2ecb535506a6047ba001bc6f8db\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:15+00:00\", \"time\": \"2024-02-25T03:37:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15402\",\"requestUri\":\"\\/00\\/
S5YA15402\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\
/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":981,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"n
oOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5d0bcc37882caf
b12db76988f01df136\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:37:45,078][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:37:12+00:00", "timeStamp"=>"2024-02-25T03:37:12+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>59938, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"9c21ad1764a6b7617b0d27642a414699",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"168.119.122.62",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509496, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>404,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko/20100101
Firefox/114.0", "upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:37:13+00:00", "timeStamp"=>"2024-02-25T03:37:13+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>59954,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.58e-1,
"transactionId"=>"badfd2ecb535506a6047ba001bc6f8db", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0", "WAFEvaluationTime"=>"0.000", "serverStatus"=>"200",
"clientIP"=>"168.119.122.62", "httpStatus"=>200, "sentBytes"=>7988,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509497, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>503,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=41284&no=0", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.6e-2, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64;
x64; rv:114.0) Gecko/20100101 Firefox/114.0", "upstreamSourcePort"=>"30022",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:37:15+00:00",
"timeStamp"=>"2024-02-25T03:37:15+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"5d0bcc37882cafb12db76988f01df136",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15402",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15402",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>981,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>5,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}], "@timestamp"=>2024-02-
25T03:37:45.024856255Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:12+00:00\", \"time\": \"2024-02-25T03:37:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59938,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=148995&type=0&space=0&mo=148995&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0)
Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":404,\"sentBytes\":515,\"connectionSerialNumber\":509496,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9c21ad1764a6b7
617b0d27642a414699\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:13+00:00\", \"time\": \"2024-02-
25T03:37:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59954,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":503,\"sentBytes\":7988,\"connectionSerialNumber\":509497,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.058,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"badfd2ecb535506a6047ba001bc6f8db\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:15+00:00\", \"time\": \"2024-02-25T03:37:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15402\",\"requestUri\":\"\\/00\\/
S5YA15402\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":981,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"n
oOfConnectionRequests\":5,\"clientResponseTime\"
:0,\"timeTaken\":0,\"WAFEvaluationTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\"
,\"transactionId\":\"5d0bcc37882cafb12db76988f01df136\",\"sslEnabled\":\"on\",\"ssl
Cipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:12+00:00\", \"time\": \"2024-02-25T03:37:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59938,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=148995&type=0&space=0&mo=148995&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0)
Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":404,\"sentBytes\":515,\"connectionSerialNumber\":509496,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9c21ad1764a6b7
617b0d27642a414699\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:13+00:00\", \"time\": \"2024-02-
25T03:37:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"168.119.122.62\",\"clientPort\":59954,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=41284&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=41284&no=0\",\"userAgent\":\"Mozilla\
\/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko\\/20100101
Firefox\\/114.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":503,\"sentBytes\":7988,\"connectionSerialNumber\":509497,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.058,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"badfd2ecb535506a6047ba001bc6f8db\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:15+00:00\", \"time\": \"2024-02-25T03:37:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15402\",\"requestUri\":\"\\/00\\/
S5YA15402\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":981,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"n
oOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5d0bcc37882caf
b12db76988f01df136\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:37:45,079][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:12+00:00", "timeStamp"=>"2024-02-
25T03:37:12+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>59938, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"9c21ad1764a6b7617b0d27642a414699", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"168.119.122.62",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509496, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>404,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=148995&type=0&space=0&mo=148995&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:114.0) Gecko/20100101
Firefox/114.0", "upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:37:45,080][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:13+00:00", "timeStamp"=>"2024-02-
25T03:37:13+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>59954,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.58e-1,
"transactionId"=>"badfd2ecb535506a6047ba001bc6f8db", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=41284&no=0", "WAFEvaluationTime"=>"0.000", "serverStatus"=>"200",
"clientIP"=>"168.119.122.62", "httpStatus"=>200, "sentBytes"=>7988,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509497, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>503,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=41284&no=0", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.6e-2, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64;
x64; rv:114.0) Gecko/20100101 Firefox/114.0", "upstreamSourcePort"=>"30022",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:45,080][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:15+00:00", "timeStamp"=>"2024-02-
25T03:37:15+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"5d0bcc37882cafb12db76988f01df136",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15402",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15402",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>981,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>5,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:37:45,091][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>37602, :content_length=>3652, :batch_offset=>0}
[2024-02-25T03:37:45,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:45,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:45,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:46,611][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.036322696S`)
[2024-02-25T03:37:46,611][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.036265795S`)
[2024-02-25T03:37:46,611][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.036282894S`)
[2024-02-25T03:37:46,611][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.036264094S`)
[2024-02-25T03:37:46,611][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.036252094S`)
[2024-02-25T03:37:46,876][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:46,879][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:47,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20277
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25093
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20208
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20228
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:48,389][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:37:48,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20273
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25089
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20204
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20224
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:48,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:48,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:48,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:37:48,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:48,598][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:37:48,598][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:37:48,598][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:37:48,617][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:37:48,617][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:37:48,617][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:37:48,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:37:48,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:37:48,666][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:37:48,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:48,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:48,724][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.035446168S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.035421666S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.035471967S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.035472867S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.035480867S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.035492266S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.035482366S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.035473266S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.035349762S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.035314361S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.035247559S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.035232558S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.035222858S`)
[2024-02-25T03:37:51,614][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.035213057S`)
[2024-02-25T03:37:51,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:51,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:51,724][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:51,888][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:51,888][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:52,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:53,135][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - schedule operation timer, current:
[2024-02-25T03:37:53.135087528Z], remaining: [60] secs
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25276
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20092
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25208
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25227
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:37:53,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25272
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20088
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25204
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25223
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:37:53,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:53,483][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:37:53,483][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:37:53,483][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:37:54,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:54,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:54,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:56,616][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.005213647S`)
[2024-02-25T03:37:56,617][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.005220347S`)
[2024-02-25T03:37:56,617][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.005186947S`)
[2024-02-25T03:37:56,617][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.034797209S`)
[2024-02-25T03:37:56,617][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.034763807S`)
[2024-02-25T03:37:56,897][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:37:56,898][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:37:57,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:37:57,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:37:57,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:37:57,732][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:37:58,390][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20275
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25092
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20207
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20226
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:37:58,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:37:58,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:37:58,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20272
[2024-02-25T03:37:58,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25089
[2024-02-25T03:37:58,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20204
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20222
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:37:58,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:37:58,408][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:37:58,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313459440//1261839
[2024-02-25T03:37:58,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313459440//1261839
[2024-02-25T03:37:58,413][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 4753 bytes.
[2024-02-25T03:37:58,462][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:37:58.410541589Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:21+00:00\", \"time\": \"2024-02-25T03:37:21+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15402\",\"requestUri\":\"\\/00\\/
S5YA15402\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":6,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e069e6bd313f0
d3d3cbb5c8591f102a6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:22+00:00\", \"time\": \"2024-02-
25T03:37:22+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.145.115\",\"clientPort\":44421,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=695850&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=695850&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":562,\"sentBytes\":488,\"connectionSerialNumber\":509499,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9b31e3aae56d7f
425bca373b3083fcf4\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:22+00:00\", \"time\": \"2024-02-
25T03:37:22+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.145.115\",\"clientPort\":58725,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=695850&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=695850&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":445,\"sentBytes\":5977,\"connectionSerialNumber\":509500,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"2deefa5ffd66c437c98de152abd480d2\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:21+00:00\", \"time\": \"2024-02-
25T03:37:21+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15402\",\"requestUri\":\"\\/00\\/
S5YA15402\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":6,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e069e6bd313f0
d3d3cbb5c8591f102a6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:22+00:00\", \"time\": \"2024-02-
25T03:37:22+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.145.115\",\"clientPort\":44421,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=695850&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=695850&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":562,\"sentBytes\":488,\"connectionSerialNumber\":509499,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9b31e3aae56d7f
425bca373b3083fcf4\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:22+00:00\", \"time\": \"2024-02-
25T03:37:22+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.145.115\",\"clientPort\":58725,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=695850&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=695850&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":445,\"sentBytes\":5977,\"connectionSerialNumber\":509500,\"
noOfConnecti
onRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.062,\"WAFEvaluationTime
\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/subscriptions\\/
2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/RG_YAzureDMZ_APG01\\/
providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"2deefa5ffd66c437c98de152abd480d2\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:58,463][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:37:21+00:00", "timeStamp"=>"2024-02-25T03:37:21+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"e069e6bd313f0d3d3cbb5c8591f102a6",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15402",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15402",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>6,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, {"time"=>"2024-02-
25T03:37:22+00:00", "timeStamp"=>"2024-02-25T03:37:22+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>44421, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"9b31e3aae56d7f425bca373b3083fcf4",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=695850&page&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"114.119.145.115", "httpStatus"=>301, "sentBytes"=>488,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509499, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>562,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=695850&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:37:22+00:00", "timeStamp"=>"2024-02-25T03:37:22+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>58725,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.62e-1,
"transactionId"=>"2deefa5ffd66c437c98de152abd480d2", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=695850&page&no=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"114.119.145.115", "httpStatus"=>200,
"sentBytes"=>5977, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509500, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>445,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=695850&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"30022", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.056"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:37:58.410541589Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:21+00:00\", \"time\": \"2024-02-25T03:37:21+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15402\",\"requestUri\":\"\\/00\\/
S5YA15402\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":6,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e069e6bd313f0
d3d3cbb5c8591f102a6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:22+00:00\", \"time\": \"2024-02-
25T03:37:22+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.145.115\",\"clientPort\":44421,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=695850&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=695850&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":562,\"sentBytes\":488,\"connectionSerialNumber\":509499,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9b31e3aae56d7f
425bca373b3083fcf4\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:22+00:00\", \"time\": \"2024-02-
25T03:37:22+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.145.115\",\"clientPort\":58725,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=695850&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=695850&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":445,\"sentBytes\":5977,\"connectionSerialNumber\":509500,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"2de
efa5ffd66c437c98de152abd480d2\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-
AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:21+00:00\", \"time\": \"2024-02-
25T03:37:21+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15402\",\"requestUri\":\"\\/00\\/
S5YA15402\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":6,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e069e6bd313f0
d3d3cbb5c8591f102a6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:22+00:00\", \"time\": \"2024-02-
25T03:37:22+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.145.115\",\"clientPort\":44421,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=695850&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=695850&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":562,\"sentBytes\":488,\"connectionSerialNumber\":509499,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"9b31e3aae56d7f
425bca373b3083fcf4\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:37:22+00:00\", \"time\": \"2024-02-
25T03:37:22+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"114.119.145.115\",\"clientPort\":58725,\
"httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=695850&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=695850&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":445,\"sentBytes\":5977,\"connectionSerialNumber\":509500,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"2deefa5ffd66c437c98de152abd480d2\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"30022\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:37:58,465][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:21+00:00", "timeStamp"=>"2024-02-
25T03:37:21+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"e069e6bd313f0d3d3cbb5c8591f102a6",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15402",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15402",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>6,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:37:58,466][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:22+00:00", "timeStamp"=>"2024-02-
25T03:37:22+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>44421, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"9b31e3aae56d7f425bca373b3083fcf4", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=695850&page&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"114.119.145.115", "httpStatus"=>301, "sentBytes"=>488,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509499, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>562,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=695850&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:37:58,466][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:22+00:00", "timeStamp"=>"2024-02-
25T03:37:22+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>58725,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.62e-1,
"transactionId"=>"2deefa5ffd66c437c98de152abd480d2", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=695850&page&no=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"114.119.145.115", "httpStatus"=>200,
"sentBytes"=>5977, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509500, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>445,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=695850&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"30022", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.056"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:37:58,483][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>37417, :content_length=>3530, :batch_offset=>0}
[2024-02-25T03:37:58,598][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:37:58,598][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:37:58,598][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:37:58,617][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:37:58,617][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:37:58,618][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:37:58,667][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:37:58,667][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:37:58,667][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:38:00,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:00,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:00,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:01,619][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.005761622S`)
[2024-02-25T03:38:01,619][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.005958926S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.006006528S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.005847525S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.005778623S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.005780823S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.005762722S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.005732122S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.005733922S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.005728121S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.005724922S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.005706021S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.005701921S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.005697521S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.005695121S`)
[2024-02-25T03:38:01,620][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.005699221S`)
[2024-02-25T03:38:01,903][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:01,908][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:03,391][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25275
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20091
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25206
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25226
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:38:03,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:03,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:03,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25272
[2024-02-25T03:38:03,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20088
[2024-02-25T03:38:03,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25203
[2024-02-25T03:38:03,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25223
[2024-02-25T03:38:03,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:03,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:03,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:03,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:03,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:03,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:03,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:38:03,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:03,483][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:38:03,483][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:38:03,483][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:38:03,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:03,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:03,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:06,623][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:38:06,623][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.00662376S`)
[2024-02-25T03:38:06,624][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.00663386S`)
[2024-02-25T03:38:06,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313464264//1261840
[2024-02-25T03:38:06,628][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313464264//1261840
[2024-02-25T03:38:06,628][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 1846 bytes.
[2024-02-25T03:38:06,637][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:38:06,639][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336259352//1261938
[2024-02-25T03:38:06,639][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336259352//1261938
[2024-02-25T03:38:06,639][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 2888 bytes.
[2024-02-25T03:38:06,690][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:38:06.624615786Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:34+00:00\", \"time\": \"2024-02-25T03:37:34+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.6\",\"clientPort\":49590,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=683901&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=683901&no=0&page\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":5977,\"connectionSerialNumber\":509965,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.069,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c73914baecbee781b325098e9705c7d0\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"43664\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:34+00:00\", \"time\": \"2024-02-
25T03:37:34+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.6\",\"clientPort\":49590,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=683901&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=683901&no=0&page\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":5977,\"connectionSerialNumber\":509965,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.069,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c73914baecbee781b325098e9705c7d0\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"43664\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:38:06,691][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:37:34+00:00", "timeStamp"=>"2024-02-25T03:37:34+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>49590,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.69e-1,
"transactionId"=>"c73914baecbee781b325098e9705c7d0", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=683901&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.6", "httpStatus"=>200,
"sentBytes"=>5977, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509965, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>357,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=683901&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"43664",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.068"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:38:06.624615786Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:34+00:00\", \"time\": \"2024-02-25T03:37:34+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.6\",\"clientPort\":49590,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=683901&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=683901&no=0&page\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":5977,\"connectionSerialNumber\":509965,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.069,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c73914baecbee781b325098e9705c7d0\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"43664\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:34+00:00\", \"time\": \"2024-02-
25T03:37:34+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.6\",\"clientPort\":49590,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=683901&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=683901&no=0&page\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":5977,\"connectionSerialNumber\":509965,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.069,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c73914baecbee781b325098e9705c7d0\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"43664\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:38:06,692][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:34+00:00", "timeStamp"=>"2024-02-
25T03:37:34+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>49590,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.69e-1,
"transactionId"=>"c73914baecbee781b325098e9705c7d0", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=683901&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.6", "httpStatus"=>200,
"sentBytes"=>5977, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509965, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>357,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=683901&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"43664",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.068"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:38:06,699][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:38:06.638477188Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:33+00:00\", \"time\": \"2024-02-25T03:37:33+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15403\",\"requestUri\":\"\\/00\\/
S5YA15403\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":7,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"4923b7130e1a0
933b819b98945dd1a5e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:38+00:00\", \"time\": \"2024-02-
25T03:37:38+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15403\",\"requestUri\":\"\\/00\\/
S5YA15403\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":8,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"558d8e1a9f4dd
224b1500432739aeb7d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:33+00:00\", \"time\": \"2024-02-25T03:37:33+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15403\",\"requestUri\":\"\\/00\\/
S5YA15403\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":7,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"4923b7130e1a0
933b819b98945dd1a5e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:38+00:00\", \"time\": \"2024-02-
25T03:37:38+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15403\",\"requestUri\":\"\\/00\\/
S5YA15403\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":8,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"558d8e1a9f4dd
224b1500432739aeb7d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:38:06,700][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:37:33+00:00", "timeStamp"=>"2024-02-25T03:37:33+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"4923b7130e1a0933b819b98945dd1a5e",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15403",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15403",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>7,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, {"time"=>"2024-02-
25T03:37:38+00:00", "timeStamp"=>"2024-02-25T03:37:38+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"558d8e1a9f4dd224b1500432739aeb7d",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15403",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15403",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>8,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}], "@timestamp"=>2024-02-
25T03:38:06.638477188Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:33+00:00\", \"time\": \"2024-02-25T03:37:33+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15403\",\"requestUri\":\"\\/00\\/
S5YA15403\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":7,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"4923b7130e1a0
933b819b98945dd1a5e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:38+00:00\", \"time\": \"2024-02-
25T03:37:38+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15403\",\"requestUri\":\"\\/00\\/
S5YA15403\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":8,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"558d8e1a9f4dd
224b1500432739aeb7d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:33+00:00\", \"time\": \"2024-02-25T03:37:33+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15403\",\"requestUri\":\"\\/00\\/
S5YA15403\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":7,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"4923b7130e1a0
933b819b98945dd1a5e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:37:38+00:00\", \"time\": \"2024-02-
25T03:37:38+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15403\",\"requestUri\":\"\\/00\\/
S5YA15403\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":8,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluation
Time\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"558d8e1a9f4dd
224b1500432739aeb7d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:38:06,701][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:33+00:00", "timeStamp"=>"2024-02-
25T03:37:33+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"4923b7130e1a0933b819b98945dd1a5e",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15403",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15403",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>7,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:38:06,701][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:38+00:00", "timeStamp"=>"2024-02-
25T03:37:38+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"558d8e1a9f4dd224b1500432739aeb7d",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15403",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15403",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>8,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:38:06,712][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>22814, :content_length=>2965, :batch_offset=>0}
[2024-02-25T03:38:06,732][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:06,732][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:06,740][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:06,914][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:06,914][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:08,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:08,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20275
[2024-02-25T03:38:08,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25091
[2024-02-25T03:38:08,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20206
[2024-02-25T03:38:08,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20226
[2024-02-25T03:38:08,392][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:08,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:08,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:08,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:08,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:08,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:08,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:38:08,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20271
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25087
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20202
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20222
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:38:08,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:08,598][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:38:08,599][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:38:08,599][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:38:08,618][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:38:08,618][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:38:08,618][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:38:08,667][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:38:08,667][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:38:08,667][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:38:09,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:09,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:09,723][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:11,921][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:11,921][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:12,416][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:38:12,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336262312//1261939
[2024-02-25T03:38:12,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336262312//1261939
[2024-02-25T03:38:12,419][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 1846 bytes.
[2024-02-25T03:38:12,469][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:38:12.418079335Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:46+00:00\", \"time\": \"2024-02-25T03:37:46+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.12\",\"clientPort\":37108,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=51164&no=0&rev=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=51164&no=0&rev=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":6137,\"connectionSerialNumber\":509521,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.07,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d88eee73c7a43e3953bce0df7b8d94e4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"48990\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:46+00:00\", \"time\": \"2024-02-
25T03:37:46+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.12\",\"clientPort\":37108,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=51164&no=0&rev=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=51164&no=0&rev=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":6137,\"connectionSerialNumber\":509521,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.07,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d88eee73c7a43e3953bce0df7b8d94e4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"48990\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:38:12,470][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:37:46+00:00", "timeStamp"=>"2024-02-25T03:37:46+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>37108,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.7e-1,
"transactionId"=>"d88eee73c7a43e3953bce0df7b8d94e4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=51164&no=0&rev=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.12", "httpStatus"=>200,
"sentBytes"=>6137, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509521, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>357,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=51164&no=0&rev=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"48990",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.068"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:38:12.418079335Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:46+00:00\", \"time\": \"2024-02-25T03:37:46+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.12\",\"clientPort\":37108,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=51164&no=0&rev=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=51164&no=0&rev=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":6137,\"connectionSerialNumber\":509521,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.07,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d88eee73c7a43e3953bce0df7b8d94e4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"48990\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:46+00:00\", \"time\": \"2024-02-
25T03:37:46+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.12\",\"clientPort\":37108,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=51164&no=0&rev=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=51164&no=0&rev=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":6137,\"connectionSerialNumber\":509521,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.07,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d88eee73c7a43e3953bce0df7b8d94e4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"48990\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:38:12,471][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:46+00:00", "timeStamp"=>"2024-02-
25T03:37:46+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>37108,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.7e-1,
"transactionId"=>"d88eee73c7a43e3953bce0df7b8d94e4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=51164&no=0&rev=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.12", "httpStatus"=>200,
"sentBytes"=>6137, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509521, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>357,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=51164&no=0&rev=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"48990",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.068"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:38:12,481][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>6229, :content_length=>1813, :batch_offset=>0}
[2024-02-25T03:38:12,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:12,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:12,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25274
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20090
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25206
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25225
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:13,393][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:13,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:38:13,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25270
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20086
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25202
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25221
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:38:13,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:13,484][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:38:13,484][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:38:13,484][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:38:14,339][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is processing a batch of
size 1.
[2024-02-25T03:38:14,342][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Saving checkpoint: 6725919632848//1542131
[2024-02-25T03:38:14,343][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: updateCheckpoint() 6725919632848//1542131
[2024-02-25T03:38:14,343][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 finished processing a batch
of 5564 bytes.
[2024-02-25T03:38:14,343][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:38:14.343181686Z], remaining: [60] secs
[2024-02-25T03:38:14,394][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:38:14.342111163Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36188,\"sentBytes\":29968,\"connectionSerialNumber\":535521
,\"noOfConnectionRequests\":3,\"clientResponseTime\":0,\"timeTaken\":0.039,\"WAFEva
luationTime\":\"0.020\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"4e359de0875f26fc190824e1619e28f1\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.016\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1151,\"sentBytes\":228370,\"connectionSerialNumber\":535521
,\"noOfConnectionRequests\":4,\"clientResponseTime\":0.004,\"timeTaken\":0.086,\"WA
FEvaluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"e87bf2271de0a914eb68242f0027bf4c\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.084\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool00_DUMMY\", \"backendSettingName\": \"APG
02_HTTP00_DUMMY\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \
"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/
favicon.ico\",\"requestUri\":\"\\/
favicon.ico\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/115.0.0.0
Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":502,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":948,\"sentBytes\":768,\"connectionSerialNumber\":535521,\"n
oOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"7c2967ce16d2d5
4145d553e26c3bfb86\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"yazure-ag.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36188,\"sentBytes\":29968,\"connectionSerialNumber\":535521
,\"noOfConnectionRequests\":3,\"clientResponseTime\":0,\"timeTaken\":0.039,\"WAFEva
luationTime\":\"0.020\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"4e359de0875f26fc190824e1619e28f1\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.016\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1151,\"sentBytes\":228370,\"connectionSerialNumber\":535521
,\"noOfConnectionRequests\
":4,\"clientResponseTime\":0.004,\"timeTaken\":0.086,\"WAFEvaluationTime\":\"0.000\
",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/subscriptions\\/2bd75eb1-d088-
445b-a7e3-3f0510c83ca3\\/resourceGroups\\/RG_YAzureDMZ_APG02\\/providers\\/
Microsoft.Network\\/ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"e87bf2271de0a914eb68242f0027bf4c\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.084\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool00_DUMMY\", \"backendSettingName\": \"APG
02_HTTP00_DUMMY\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \
"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/
favicon.ico\",\"requestUri\":\"\\/
favicon.ico\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/115.0.0.0
Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":502,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":948,\"sentBytes\":768,\"connectionSerialNumber\":535521,\"n
oOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"7c2967ce16d2d5
4145d553e26c3bfb86\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"yazure-ag.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:38:14,395][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:37:42+00:00", "timeStamp"=>"2024-02-25T03:37:42+00:00",
"backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62280, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.39e-1,
"transactionId"=>"4e359de0875f26fc190824e1619e28f1", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.020",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>29968, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535521, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"yazure-ag.yokogawa.com",
"sslEnabled"=>"on", "receivedBytes"=>36188, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"24746", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>3,
"serverResponseLatency"=>"0.016"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog", "ruleName"=>"APG02_RoutingRule01"},
{"time"=>"2024-02-25T03:37:42+00:00", "timeStamp"=>"2024-02-25T03:37:42+00:00",
"backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62280, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.86e-1,
"transactionId"=>"e87bf2271de0a914eb68242f0027bf4c", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>228370, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535521, "contentType"=>"", "originalHost"=>"yazure-
ag.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1151, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.4e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"24746", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>4,
"serverResponseLatency"=>"0.084"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog", "ruleName"=>"APG02_RoutingRule01"},
{"time"=>"2024-02-25T03:37:42+00:00", "timeStamp"=>"2024-02-25T03:37:42+00:00",
"backendPoolName"=>"APG02_BackendPool00_DUMMY",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"",
"clientPort"=>62280, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"7c2967ce16d2d54145d553e26c3bfb86", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/favicon.ico", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"219.106.244.24", "httpStatus"=>502,
"sentBytes"=>768, "requestUri"=>"/favicon.ico", "WAFPolicyID"=>"",
"connectionSerialNumber"=>535521, "contentType"=>"", "originalHost"=>"yazure-
ag.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>948, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>5,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP00_DUMMY",
"category"=>"ApplicationGatewayAccessLog", "ruleName"=>"APG02_RoutingRule01"}],
"@timestamp"=>2024-02-25T03:38:14.342111163Z, "message"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:37:42+00:00\", \"time\": \"2024-02-
25T03:37:42+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_
RoutingRule01\", \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36188,\"sentBytes\":29968,\"connectionSerialNumber\":535521
,\"noOfConnectionRequests\":3,\"clientResponseTime\":0,\"timeTaken\":0.039,\"WAFEva
luationTime\":\"0.020\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"4e359de0875f26fc190824e1619e28f1\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.016\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1151,\"sentBytes\":228370,\"connectionSerialNumber\":535521
,\"noOfConnectionRequests\":4,\"clientResponseTime\":0.004,\"timeTaken\":0.086,\"WA
FEvaluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"e87bf2271de0a914eb68242f0027bf4c\"
,\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.084\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool00_DUMMY\", \"backendSettingName\": \"APG
02_HTTP00_DUMMY\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \
"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/
favicon.ico\",\"requestUri\":\"\\/
favicon.ico\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/115.0.0.0
Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":502,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":948,\"sentBytes\":768,\"connectionSerialNumber\":535521,\"n
oOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"7c2967ce16d2d5
4145d553e26c3bfb86\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"yazure-ag.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":36188,\"sentBytes\":29968,\"connectionSerialNumber\":535521
,\"noOfConnectionRequests\":3,\"clientResponseTime\":0,\"timeTaken\":0.039,\"WAFEva
luationTime\":\"0.020\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"4e359de0875f26fc190824e1619e28f1\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.016\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1151,\"sentBytes\":228370,\"connectionSerialNumber\":535521
,\"noOfConnectionRequests\":4,\"clientResponseTime\":0.004,\"timeTaken\":0.086,\"WA
FEvaluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"e87bf2271de0a914eb68242f0027bf4c\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.084\",\"upstr
eamSourcePort\":\"24746\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:37:42+00:00\", \"time\": \"2024-02-25T03:37:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool00_DUMMY\", \"backendSettingName\": \"APG
02_HTTP00_DUMMY\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \
"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62280,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/
favicon.ico\",\"requestUri\":\"\\/
favicon.ico\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/115.0.0.0
Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":502,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":948,\"sentBytes\":768,\"connectionSerialNumber\":535521,\"n
oOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"7c2967ce16d2d5
4145d553e26c3bfb86\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"yazure-ag.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:38:14,403][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:42+00:00", "timeStamp"=>"2024-02-
25T03:37:42+00:00", "backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62280, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.39e-1,
"transactionId"=>"4e359de0875f26fc190824e1619e28f1", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.020",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>29968, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535521, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"yazure-ag.yokogawa.com",
"sslEnabled"=>"on", "receivedBytes"=>36188, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"24746", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>3,
"serverResponseLatency"=>"0.016"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule01"}, :field=>"records"}
[2024-02-25T03:38:14,404][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:42+00:00", "timeStamp"=>"2024-02-
25T03:37:42+00:00", "backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62280, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.86e-1,
"transactionId"=>"e87bf2271de0a914eb68242f0027bf4c", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>228370, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535521, "contentType"=>"", "originalHost"=>"yazure-
ag.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1151, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.4e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"24746", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>4,
"serverResponseLatency"=>"0.084"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule01"}, :field=>"records"}
[2024-02-25T03:38:14,404][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:37:42+00:00", "timeStamp"=>"2024-02-
25T03:37:42+00:00", "backendPoolName"=>"APG02_BackendPool00_DUMMY",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"",
"clientPort"=>62280, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"7c2967ce16d2d54145d553e26c3bfb86", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/favicon.ico", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"219.106.244.24", "httpStatus"=>502,
"sentBytes"=>768, "requestUri"=>"/favicon.ico", "WAFPolicyID"=>"",
"connectionSerialNumber"=>535521, "contentType"=>"", "originalHost"=>"yazure-
ag.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>948, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>5,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP00_DUMMY",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule01"}, :field=>"records"}
[2024-02-25T03:38:14,416][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>43382, :content_length=>3544, :batch_offset=>0}
[2024-02-25T03:38:14,451][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:38:14.451456046Z], remaining: [57] secs
[2024-02-25T03:38:15,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:15,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:15,729][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:16,629][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.035221235S`)
[2024-02-25T03:38:16,629][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.035170432S`)
[2024-02-25T03:38:16,629][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.035152932S`)
[2024-02-25T03:38:16,629][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.03512493S`)
[2024-02-25T03:38:16,629][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.03512453S`)
[2024-02-25T03:38:16,929][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:16,929][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20273
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25090
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20205
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20224
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:38:18,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:18,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:18,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20270
[2024-02-25T03:38:18,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25087
[2024-02-25T03:38:18,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20202
[2024-02-25T03:38:18,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20221
[2024-02-25T03:38:18,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:18,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:18,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:18,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:18,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:18,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:18,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:38:18,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:18,599][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:38:18,599][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:38:18,599][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:38:18,618][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:38:18,618][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:38:18,618][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:38:18,668][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:38:18,668][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:38:18,668][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:38:18,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:18,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:18,734][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:21,631][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.035002357S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.034958156S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.034934756S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.034872555S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.034719651S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.03470075S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.034695151S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.034681351S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.034690851S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.03468765S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.034508647S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.034450645S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.034448345S`)
[2024-02-25T03:38:21,632][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.034439346S`)
[2024-02-25T03:38:21,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:21,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:21,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:21,934][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:21,935][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:23,394][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25273
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20089
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25204
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25223
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:38:23,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25270
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20086
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25201
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25220
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:38:23,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:23,484][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:38:23,484][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:38:23,484][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:38:24,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:24,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:24,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:26,634][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.00523073S`)
[2024-02-25T03:38:26,634][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.005313631S`)
[2024-02-25T03:38:26,634][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.005322731S`)
[2024-02-25T03:38:26,634][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.033311184S`)
[2024-02-25T03:38:26,634][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.033319084S`)
[2024-02-25T03:38:26,939][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:26,946][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:27,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:27,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:27,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:27,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:28,395][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20272
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25088
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20203
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20222
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:38:28,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:28,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:28,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20270
[2024-02-25T03:38:28,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25086
[2024-02-25T03:38:28,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20201
[2024-02-25T03:38:28,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20220
[2024-02-25T03:38:28,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:28,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:28,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:28,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:28,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:28,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:28,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:38:28,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:28,599][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:38:28,599][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:38:28,600][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:38:28,619][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:38:28,619][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:38:28,619][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:38:28,668][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:38:28,668][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:38:28,668][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:38:30,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:30,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:30,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:31,636][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.00521583S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.005435435S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.005606038S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.005504736S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.005496036S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.005492635S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.005487236S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.005483136S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.005482435S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.005482935S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.005458934S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.005456635S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.005442434S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.005438135S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.005427634S`)
[2024-02-25T03:38:31,637][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.005426434S`)
[2024-02-25T03:38:31,952][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:31,957][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:32,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:33,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:33,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25272
[2024-02-25T03:38:33,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20088
[2024-02-25T03:38:33,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25203
[2024-02-25T03:38:33,396][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25223
[2024-02-25T03:38:33,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:33,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:33,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:33,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:33,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:33,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:33,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:38:33,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25269
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20085
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25200
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25220
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:38:33,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:33,485][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:38:33,485][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:38:33,485][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:38:33,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:33,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:33,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:33,927][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:38:33.927014849Z], remaining: [32] secs
[2024-02-25T03:38:33,927][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:38:33.927310955Z], remaining: [32] secs
[2024-02-25T03:38:34,414][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:38:34,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336264224//1261940
[2024-02-25T03:38:34,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336264224//1261940
[2024-02-25T03:38:34,419][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 9014 bytes.
[2024-02-25T03:38:34,469][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:38:34.417989848Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:01+00:00\", \"time\": \"2024-02-25T03:38:01+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.15\",\"clientPort\":55318,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=1104523&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=1104523&no=0&space=0&type=0\",\"userA
gent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":368,\"sentBytes\":3357,\"connectionSerialNumber\":509987,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"10a22a9b7cada52279b50620c1da532e\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:02+00:00\", \"time\": \"2024-02-25T03:38:02+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"52.167.144.203\",\"clientPort\":46449,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":6507,\"connectionSerialNumber\":509989,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.059,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"b580849820eff0572e817ea352bc0c0a\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:06+00:00\", \"time\": \"2024-02-25T03:38:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.206\",\"clientPort\":27994,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=887581&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=887581&no=0&space=0&type=0\",\"userAg
ent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":367,\"sentBytes\":3357,\"connectionSerialNumber\":510007,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.064,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"91e34bfdc16a0e62da74cb3646b003a4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:06+00:00\", \"time\": \"2024-02-25T03:38:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"37.139.53.85\",\"clientPort\":60715,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/113.0.0.0
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":489,\"sentBytes\":508,\"connectionSerialNumber\":510008,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e26c6e1b52a472
6eacc0b0468e0e8e78\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:08+00:00\", \"time\": \"2024-02-
25T03:38:08+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"37.139.53.85\",\"clientPort\":60749,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/113.0.0.0
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=672b6e1e3c8cd\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1869,\"sentBytes\":757,\"connectionSerialNumber\":510009,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.22,\"timeTaken\":0.224,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"a16d7f2dfc7b997a67888bfa61cbd70c\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuer
Name\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLatency\":\
"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\
"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:01+00:00\", \"time\": \"2024-02-25T03:38:01+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.15\",\"clientPort\":55318,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=1104523&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=1104523&no=0&space=0&type=0\",\"userA
gent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":368,\"sentBytes\":3357,\"connectionSerialNumber\":509987,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"10a22a9b7cada52279b50620c1da532e\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:02+00:00\", \"time\": \"2024-02-25T03:38:02+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"52.167.144.203\",\"clientPort\":46449,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":6507,\"connectionSerialNumber\":509989,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.059,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"b580849820eff0572e817ea352bc0c0a\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:06+00:00\", \"time\": \"2024-02-25T03:38:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.206\",\"clientPort\":27994,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=887581&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=887581&no=0&space=0&type=0\",\"userAg
ent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":367,\"sentBytes\":3357,\"connectionSerialNumber\":510007,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.064,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"91e34bfdc16a0e62da74cb3646b003a4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:06+00:00\", \"time\": \"2024-02-25T03:38:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"37.139.53.85\",\"clientPort\":60715,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/113.0.0.0
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":489,\"sentBytes\":508,\"connectionSerialNumber\":510008,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e26c6e1b52a472
6eacc0b0468e0e8e78\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:08+00:00\", \"time\": \"2024-02-
25T03:38:08+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"37.139.53.85\",\"clientPort\":60749,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/113.0.0.0
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=672b6e1e3c8cd\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1869,\"sentBytes\":757,\"connectionSerialNumber\":510009,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.22,\"timeTaken\":0.224,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"a16d7f2dfc7b997a67888bfa61cbd70c\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverRespons
eLatency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\
",\"host\":\"\"}}]}"}}}
[2024-02-25T03:38:34,471][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:38:01+00:00", "timeStamp"=>"2024-02-25T03:38:01+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>55318,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.65e-1,
"transactionId"=>"10a22a9b7cada52279b50620c1da532e", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=all&namber=1104523&no=0&space=0&type=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.15", "httpStatus"=>200,
"sentBytes"=>3357, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509987, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>368,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=all&namber=1104523&no=0&space=0&type=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"39140",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.068"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:38:02+00:00",
"timeStamp"=>"2024-02-25T03:38:02+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>46449,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.59e-1,
"transactionId"=>"b580849820eff0572e817ea352bc0c0a", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.167.144.203",
"httpStatus"=>200, "sentBytes"=>6507,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509989, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>370,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"39140", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.052"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:38:06+00:00",
"timeStamp"=>"2024-02-25T03:38:06+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>27994,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.64e-1,
"transactionId"=>"91e34bfdc16a0e62da74cb3646b003a4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=all&namber=887581&no=0&space=0&type=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"85.208.96.206", "httpStatus"=>200,
"sentBytes"=>3357, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510007, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>367,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=all&namber=887581&no=0&space=0&type=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"39140",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:38:06+00:00",
"timeStamp"=>"2024-02-25T03:38:06+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>60715, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"e26c6e1b52a4726eacc0b0468e0e8e78",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"37.139.53.85",
"httpStatus"=>301, "sentBytes"=>508,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>510008, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>489,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/113.0.0.0 Safari/537.36", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.0",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:38:08+00:00", "timeStamp"=>"2024-02-25T03:38:08+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP", "properties"=>{"host"=>"",
"clientPort"=>60749, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention",
"timeTaken"=>0.224e0, "transactionId"=>"a16d7f2dfc7b997a67888bfa61cbd70c",
"sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"", "clientIP"=>"37.139.53.85",
"httpStatus"=>403, "sentBytes"=>757,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510009, "contentType"=>"multipart/form-data;
boundary=672b6e1e3c8cd", "originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>1869, "httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.22e0, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.0", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:38:34.417989848Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:01+00:00\", \"time\": \"2024-02-25T03:38:01+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\",
\"backendPoolName\": \"APG01_BackendPool12_RepJP\", \"backendSettingName\": \"APG0
1_HTTP12_RepJP\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"
ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.15\",\"clientPort\":55318,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=1104523&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=1104523&no=0&space=0&type=0\",\"userA
gent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":368,\"sentBytes\":3357,\"connectionSerialNumber\":509987,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"10a22a9b7cada52279b50620c1da532e\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:02+00:00\", \"time\": \"2024-02-25T03:38:02+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"52.167.144.203\",\"clientPort\":46449,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":6507,\"connectionSerialNumber\":509989,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.059,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"b580849820eff0572e817ea352bc0c0a\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:06+00:00\", \"time\": \"2024-02-25T03:38:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.206\",\"clientPort\":27994,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=887581&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=887581&no=0&space=0&type=0\",\"userAg
ent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":367,\"sentBytes\":3357,\"connectionSerialNumber\":510007,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.064,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"91e34bfdc16a0e62da74cb3646b003a4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:06+00:00\", \"time\": \"2024-02-25T03:38:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"37.139.53.85\",\"clientPort\":60715,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/113.0.0.0
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":489,\"sentBytes\":508,\"connectionSerialNumber\":510008,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e26c6e1b52a472
6eacc0b0468e0e8e78\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:08+00:00\", \"time\": \"2024-02-
25T03:38:08+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"37.139.53.85\",\"clientPort\":60749,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/113.0.0.0
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=672b6e1e3c8cd\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1869,\"sentBytes\":757,\"connectionSerialNumber\":510009,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.22,\"timeTaken\":0.224,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"a16d7f2dfc7b997a67888bfa61cbd70c\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:01+00:00\", \"time\": \"2024-02-25T03:38:01+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\",
\"backendPoolName\": \"APG01_BackendPool12_RepJP\", \"backendSettingName\": \"APG0
1_HTTP12_RepJP\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"
ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.15\",\"clientPort\":55318,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=1104523&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=1104523&no=0&space=0&type=0\",\"userA
gent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":368,\"sentBytes\":3357,\"connectionSerialNumber\":509987,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"10a22a9b7cada52279b50620c1da532e\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.068\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:02+00:00\", \"time\": \"2024-02-25T03:38:02+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"52.167.144.203\",\"clientPort\":46449,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":6507,\"connectionSerialNumber\":509989,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.059,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"b580849820eff0572e817ea352bc0c0a\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:06+00:00\", \"time\": \"2024-02-25T03:38:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.206\",\"clientPort\":27994,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=all&namber=887581&no=0&space=0&type=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=all&namber=887581&no=0&space=0&type=0\",\"userAg
ent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":367,\"sentBytes\":3357,\"connectionSerialNumber\":510007,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.064,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"91e34bfdc16a0e62da74cb3646b003a4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:06+00:00\", \"time\": \"2024-02-25T03:38:06+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"37.139.53.85\",\"clientPort\":60715,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/113.0.0.0
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":489,\"sentBytes\":508,\"connectionSerialNumber\":510008,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"e26c6e1b52a472
6eacc0b0468e0e8e78\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:08+00:00\", \"time\": \"2024-02-
25T03:38:08+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"37.139.53.85\",\"clientPort\":60749,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/113.0.0.0
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=672b6e1e3c8cd\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1869,\"sentBytes\":757,\"connectionSerialNumber\":510009,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.22,\"timeTaken\":0.224,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"a16d7f2dfc7b997a67888bfa61cbd70c\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:38:34,480][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:01+00:00", "timeStamp"=>"2024-02-
25T03:38:01+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>55318,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.65e-1,
"transactionId"=>"10a22a9b7cada52279b50620c1da532e", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=all&namber=1104523&no=0&space=0&type=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.15", "httpStatus"=>200,
"sentBytes"=>3357, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509987, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>368,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=all&namber=1104523&no=0&space=0&type=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"39140",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.068"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:38:34,480][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:02+00:00", "timeStamp"=>"2024-02-
25T03:38:02+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>46449,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.59e-1,
"transactionId"=>"b580849820eff0572e817ea352bc0c0a", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.167.144.203",
"httpStatus"=>200, "sentBytes"=>6507,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509989, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>370,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=8133&namber=5789364&space=0&rev=0&page=80&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"39140", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.052"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:38:34,480][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:06+00:00", "timeStamp"=>"2024-02-
25T03:38:06+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>27994,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.64e-1,
"transactionId"=>"91e34bfdc16a0e62da74cb3646b003a4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=all&namber=887581&no=0&space=0&type=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"85.208.96.206", "httpStatus"=>200,
"sentBytes"=>3357, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510007, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>367,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=all&namber=887581&no=0&space=0&type=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"39140",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:38:34,481][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:06+00:00", "timeStamp"=>"2024-02-
25T03:38:06+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>60715, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"e26c6e1b52a4726eacc0b0468e0e8e78", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"37.139.53.85",
"httpStatus"=>301, "sentBytes"=>508,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>510008, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>489,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=9660&namber=41284&space=45&rev=0&page=20&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/113.0.0.0 Safari/537.36", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.0",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:38:34,481][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:08+00:00", "timeStamp"=>"2024-02-
25T03:38:08+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP", "properties"=>{"host"=>"",
"clientPort"=>60749, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention",
"timeTaken"=>0.224e0, "transactionId"=>"a16d7f2dfc7b997a67888bfa61cbd70c",
"sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"", "clientIP"=>"37.139.53.85",
"httpStatus"=>403, "sentBytes"=>757,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510009, "contentType"=>"multipart/form-data;
boundary=672b6e1e3c8cd", "originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>1869, "httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.22e0, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.0", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:38:34,509][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>5, :payload_size=>109955, :content_length=>7995, :batch_offset=>0}
[2024-02-25T03:38:36,639][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.005168228S`)
[2024-02-25T03:38:36,640][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.005278531S`)
[2024-02-25T03:38:36,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:36,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:36,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:36,963][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:36,967][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20271
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25088
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20202
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20222
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:38,397][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:38,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:38,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:38,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:38:38,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:38,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:38,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20269
[2024-02-25T03:38:38,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25086
[2024-02-25T03:38:38,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20200
[2024-02-25T03:38:38,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20220
[2024-02-25T03:38:38,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:38,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:38,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:38,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:38,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:38,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:38,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:38:38,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:38,600][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:38:38,600][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:38:38,600][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:38:38,619][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:38:38,619][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:38:38,619][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:38:38,669][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:38:38,669][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:38:38,669][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:38:38,977][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - Reschedule operation timer,
current: [2024-02-25T03:38:38.977595009Z], remaining: [35] secs
[2024-02-25T03:38:39,349][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:38:39,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336273304//1261941
[2024-02-25T03:38:39,351][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336273304//1261941
[2024-02-25T03:38:39,351][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 2030 bytes.
[2024-02-25T03:38:39,402][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:38:39.350185828Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:15+00:00\", \"time\": \"2024-02-25T03:38:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"188.130.142.57\",\"clientPort\":43735,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&sp
ace=15\",\"userAgent\":\"Mozilla\\/5.0 (Linux; Android 6.0.1; Nexus 5X
Build\\/MMB29P) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.6167.139
Mobile Safari\\/537.36 (compatible; Googlebot\\/2.1;
+http:\\/\\/www.google.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERRO
RINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":831,\"sentBytes\":7688,\"connectionSerialNumber\":510011,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.056,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"87103a49acdce5bb08a5cabb1cf2d27d\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:38:15+00:00\", \"time\": \"2024-02-
25T03:38:15+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"188.130.142.57\",\"clientPort\":43735,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&sp
ace=15\",\"userAgent\":\"Mozilla\\/5.0 (Linux; Android 6.0.1; Nexus 5X
Build\\/MMB29P) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.6167.139
Mobile Safari\\/537.36 (compatible; Googlebot\\/2.1;
+http:\\/\\/www.google.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERRO
RINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":831,\"sentBytes\":7688,\"connectionSerialNumber\":510011,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.056,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"87103a49acdce5bb08a5cabb1cf2d27d\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:38:39,403][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:38:15+00:00", "timeStamp"=>"2024-02-25T03:38:15+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>43735,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.56e-1,
"transactionId"=>"87103a49acdce5bb08a5cabb1cf2d27d", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"188.130.142.57",
"httpStatus"=>200, "sentBytes"=>7688,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510011, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>831,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"upstreamSourcePort"=>"39140", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.052"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:38:39.350185828Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:15+00:00\", \"time\": \"2024-02-25T03:38:15+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"188.130.142.57\",\"clientPort\":43735,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&sp
ace=15\",\"userAgent\":\"Mozilla\\/5.0 (Linux; Android 6.0.1; Nexus 5X
Build\\/MMB29P) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.6167.139
Mobile Safari\\/537.36 (compatible; Googlebot\\/2.1;
+http:\\/\\/www.google.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERRO
RINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":831,\"sentBytes\":7688,\"connectionSerialNumber\":510011,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.056,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"87103a49acdce5bb08a5cabb1cf2d27d\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:38:15+00:00\", \"time\": \"2024-02-
25T03:38:15+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"188.130.142.57\",\"clientPort\":43735,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&sp
ace=15\",\"userAgent\":\"Mozilla\\/5.0 (Linux; Android 6.0.1; Nexus 5X
Build\\/MMB29P) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.6167.139
Mobile Safari\\/537.36 (compatible; Googlebot\\/2.1;
+http:\\/\\/www.google.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERRO
RINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":831,\"sentBytes\":7688,\"connectionSerialNumber\":510011,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.056,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"87103a49acdce5bb08a5cabb1cf2d27d\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"39140\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:38:39,404][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:15+00:00", "timeStamp"=>"2024-02-
25T03:38:15+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>43735,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.56e-1,
"transactionId"=>"87103a49acdce5bb08a5cabb1cf2d27d", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"188.130.142.57",
"httpStatus"=>200, "sentBytes"=>7688,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510011, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>831,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"upstreamSourcePort"=>"39140", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.052"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:38:39,407][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>6871, :content_length=>1996, :batch_offset=>0}
[2024-02-25T03:38:39,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:39,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:39,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:41,972][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:41,979][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:42,587][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:38:42.587010964Z], remaining: [56] secs
[2024-02-25T03:38:42,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:42,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:42,721][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25271
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20087
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25202
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25221
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:38:43,398][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25269
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20085
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25200
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25219
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:38:43,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:43,485][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:38:43,485][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:38:43,485][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:38:45,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:45,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:45,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:46,644][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.033078833S`)
[2024-02-25T03:38:46,644][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.033078633S`)
[2024-02-25T03:38:46,644][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.033055833S`)
[2024-02-25T03:38:46,644][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.033055933S`)
[2024-02-25T03:38:46,644][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.033045732S`)
[2024-02-25T03:38:46,985][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:46,985][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:47,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20270
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25086
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20201
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20220
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:38:48,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20269
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25085
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20200
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20219
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:48,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:38:48,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:48,600][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:38:48,600][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:38:48,600][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:38:48,619][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:38:48,620][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:38:48,620][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:38:48,669][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:38:48,669][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:38:48,669][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:38:48,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:48,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:48,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:50,201][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:38:50,204][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313466176//1261841
[2024-02-25T03:38:50,204][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313466176//1261841
[2024-02-25T03:38:50,208][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 4661 bytes.
[2024-02-25T03:38:50,255][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:38:50.203468838Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:11+00:00\", \"time\": \"2024-02-25T03:38:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15404\",\"requestUri\":\"\\/00\\/
S5YA15404\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":10,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"26565954167a
2f2aa2d23c7753d7f13d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:38:14+00:00\", \"time\": \"2024-02-
25T03:38:14+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"188.130.142.57\",\"clientPort\":51537,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&sp
ace=15\",\"userAgent\":\"Mozilla\\/5.0 (Linux; Android 6.0.1; Nexus 5X
Build\\/MMB29P) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.6167.139
Mobile Safari\\/537.36 (compatible; Googlebot\\/2.1;
+http:\\/\\/www.google.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERRO
RINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":666,\"sentBytes\":515,\"connectionSerialNumber\":509550,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"713fb4a3ba26b8
18095918f09a147d13\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:18+00:00\", \"time\": \"2024-02-
25T03:38:18+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"24.249.199.12\",\"clientPort\":39930,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":612,\"sentBytes\":513,\"connectionSerialNumber\":509552,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"a111f16d5f15c9
29405821a4ed077d40\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:38:11+00:00\", \"time\": \"2024-02-
25T03:38:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15404\",\"requestUri\":\"\\/00\\/
S5YA15404\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":10,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"26565954167a
2f2aa2d23c7753d7f13d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:38:14+00:00\", \"time\": \"2024-02-
25T03:38:14+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"188.130.142.57\",\"clientPort\":51537,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&sp
ace=15\",\"userAgent\":\"Mozilla\\/5.0 (Linux; Android 6.0.1; Nexus 5X
Build\\/MMB29P) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.6167.139
Mobile Safari\\/537.36 (compatible; Googlebot\\/2.1;
+http:\\/\\/www.google.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERRO
RINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":666,\"sentBytes\":515,\"connectionSerialNumber\":509550,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"713fb4a3ba26b8
18095918f09a147d13\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:18+00:00\", \"time\": \"2024-02-
25T03:38:18+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"24.249.199.12\",\"clientPort\":39930,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\"
:\"HTTP\\/
1.1\",\"receivedBytes\":612,\"sentBytes\":513,\"connectionSerialNumber\":509552,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"a111f16d5f15c9
29405821a4ed077d40\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:38:50,256][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:38:11+00:00", "timeStamp"=>"2024-02-25T03:38:11+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"26565954167a2f2aa2d23c7753d7f13d",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15404",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15404",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1005,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>10,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, {"time"=>"2024-02-
25T03:38:14+00:00", "timeStamp"=>"2024-02-25T03:38:14+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>51537, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"713fb4a3ba26b818095918f09a147d13",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"188.130.142.57",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509550, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>666,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:38:18+00:00", "timeStamp"=>"2024-02-25T03:38:18+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>39930, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"a111f16d5f15c929405821a4ed077d40",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"24.249.199.12",
"httpStatus"=>301, "sentBytes"=>513,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509552, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>612,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:38:50.203468838Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:11+00:00\", \"time\": \"2024-02-25T03:38:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15404\",\"requestUri\":\"\\/00\\/
S5YA15404\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":10,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"26565954167a
2f2aa2d23c7753d7f13d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:38:14+00:00\", \"time\": \"2024-02-
25T03:38:14+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"188.130.142.57\",\"clientPort\":51537,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&sp
ace=15\",\"userAgent\":\"Mozilla\\/5.0 (Linux; Android 6.0.1; Nexus 5X
Build\\/MMB29P) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.6167.139
Mobile Safari\\/537.36 (compatible; Googlebot\\/2.1;
+http:\\/\\/www.google.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERRO
RINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":666,\"sentBytes\":515,\"connectionSerialNumber\":509550,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"713fb4a3ba26b8
18095918f09a147d13\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:18+00:00\", \"time\": \"2024-02-
25T03:38:18+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"24.249.199.12\",\"clientPort\":39930,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":612,\"sentBytes\":513,\"connectionSerialNumber\":509552,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"a111f16d5f15c9
29405821a4ed077d40\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\
":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertificateIssuerName\":
\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"u
pstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}}]}
", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:11+00:00\", \"time\": \"2024-02-25T03:38:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15404\",\"requestUri\":\"\\/00\\/
S5YA15404\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":10,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"26565954167a
2f2aa2d23c7753d7f13d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:38:14+00:00\", \"time\": \"2024-02-
25T03:38:14+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"188.130.142.57\",\"clientPort\":51537,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&sp
ace=15\",\"userAgent\":\"Mozilla\\/5.0 (Linux; Android 6.0.1; Nexus 5X
Build\\/MMB29P) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.6167.139
Mobile Safari\\/537.36 (compatible; Googlebot\\/2.1;
+http:\\/\\/www.google.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERRO
RINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":666,\"sentBytes\":515,\"connectionSerialNumber\":509550,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"713fb4a3ba26b8
18095918f09a147d13\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:18+00:00\", \"time\": \"2024-02-
25T03:38:18+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"24.249.199.12\",\"clientPort\":39930,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":612,\"sentBytes\":513,\"connectionSerialNumber\":509552,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"a111f16d5f15c9
29405821a4ed077d40\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:38:50,259][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:11+00:00", "timeStamp"=>"2024-02-
25T03:38:11+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"26565954167a2f2aa2d23c7753d7f13d",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15404",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15404",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1005,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>10,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:38:50,259][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:14+00:00", "timeStamp"=>"2024-02-
25T03:38:14+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>51537, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"713fb4a3ba26b818095918f09a147d13", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"188.130.142.57",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509550, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>666,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=99802&mode=al2&namber=5789364&no=0&page=0&rev=0&space=15",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:38:50,259][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:18+00:00", "timeStamp"=>"2024-02-
25T03:38:18+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>39930, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"a111f16d5f15c929405821a4ed077d40", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"24.249.199.12",
"httpStatus"=>301, "sentBytes"=>513,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509552, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>612,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:38:50,271][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>36929, :content_length=>3514, :batch_offset=>0}
[2024-02-25T03:38:51,647][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.033821313S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.033777712S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.03369441S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.03367811S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.033658309S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.033693111S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.033727811S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.03372611S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.033722411S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.03370951S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.03370631S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.03370251S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.03369911S`)
[2024-02-25T03:38:51,648][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.033741711S`)
[2024-02-25T03:38:51,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:51,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:51,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:51,990][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:51,990][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:52,310][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:53,136][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - schedule operation timer, current:
[2024-02-25T03:38:53.135970842Z], remaining: [60] secs
[2024-02-25T03:38:53,399][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25269
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20085
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25200
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25220
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:38:53,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25268
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20084
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25199
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25219
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:38:53,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:53,485][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:38:53,486][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:38:53,486][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:38:54,725][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:54,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:54,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:56,650][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.005525345S`)
[2024-02-25T03:38:56,650][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.005542646S`)
[2024-02-25T03:38:56,650][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.005529446S`)
[2024-02-25T03:38:56,650][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.033396232S`)
[2024-02-25T03:38:56,650][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.033372631S`)
[2024-02-25T03:38:56,995][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:38:57,002][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:38:57,262][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:38:57,264][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336275400//1261942
[2024-02-25T03:38:57,264][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336275400//1261942
[2024-02-25T03:38:57,264][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 1967 bytes.
[2024-02-25T03:38:57,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:38:57,314][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:38:57.263190213Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:20+00:00\", \"time\": \"2024-02-25T03:38:20+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"24.249.199.12\",\"clientPort\":34443,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":739,\"sentBytes\":7666,\"connectionSerialNumber\":509553,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"54fa1a0eb43f23f556fca78523c1f1ed\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"39518\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:38:20+00:00\", \"time\": \"2024-02-
25T03:38:20+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"24.249.199.12\",\"clientPort\":34443,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":739,\"sentBytes\":7666,\"connectionSerialNumber\":509553,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"54fa1a0eb43f23f556fca78523c1f1ed\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"39518\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:38:57,315][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:38:20+00:00", "timeStamp"=>"2024-02-25T03:38:20+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>34443,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.63e-1,
"transactionId"=>"54fa1a0eb43f23f556fca78523c1f1ed", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"24.249.199.12",
"httpStatus"=>200, "sentBytes"=>7666,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509553, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>739,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"39518",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:38:57.263190213Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:20+00:00\", \"time\": \"2024-02-25T03:38:20+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"24.249.199.12\",\"clientPort\":34443,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":739,\"sentBytes\":7666,\"connectionSerialNumber\":509553,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"54fa1a0eb43f23f556fca78523c1f1ed\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"39518\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:38:20+00:00\", \"time\": \"2024-02-
25T03:38:20+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"24.249.199.12\",\"clientPort\":34443,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":739,\"sentBytes\":7666,\"connectionSerialNumber\":509553,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.063,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"54fa1a0eb43f23f556fca78523c1f1ed\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"39518\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:38:57,316][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:20+00:00", "timeStamp"=>"2024-02-
25T03:38:20+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>34443,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.63e-1,
"transactionId"=>"54fa1a0eb43f23f556fca78523c1f1ed", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"24.249.199.12",
"httpStatus"=>200, "sentBytes"=>7666,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509553, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>739,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=4081&namber=5789364&space=0&rev=1&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"39518",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:38:57,318][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>6720, :content_length=>1965, :batch_offset=>0}
[2024-02-25T03:38:57,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:38:57,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:38:57,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:38:58,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:38:58,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20269
[2024-02-25T03:38:58,400][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25086
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20199
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20219
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:38:58,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20267
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25084
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20198
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20218
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:38:58,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:38:58,508][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[98]
[2024-02-25T03:38:58,509][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[98]
[2024-02-25T03:38:58,511][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - token renewed
[2024-02-25T03:38:58,512][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - token renewed
[2024-02-25T03:38:58,601][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:38:58,601][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:38:58,601][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:38:58,620][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:38:58,620][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:38:58,620][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:38:58,669][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:38:58,670][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:38:58,670][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:39:00,733][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:00,734][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:00,735][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:01,652][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.004656315S`)
[2024-02-25T03:39:01,652][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.004818318S`)
[2024-02-25T03:39:01,652][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.00489132S`)
[2024-02-25T03:39:01,652][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.004759417S`)
[2024-02-25T03:39:01,652][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.004756917S`)
[2024-02-25T03:39:01,652][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.004753116S`)
[2024-02-25T03:39:01,652][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.004746917S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.004675515S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.004633614S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.004625714S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.004622314S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.004612814S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.004608113S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.004605314S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.004612113S`)
[2024-02-25T03:39:01,653][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.004563913S`)
[2024-02-25T03:39:02,013][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:02,014][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:02,259][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:39:02,261][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313470904//1261842
[2024-02-25T03:39:02,261][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313470904//1261842
[2024-02-25T03:39:02,261][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 3489 bytes.
[2024-02-25T03:39:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:02,312][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:39:02.260979111Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:37+00:00\", \"time\": \"2024-02-25T03:38:37+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"40.77.167.235\",\"clientPort\":8128,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":369,\"sentBytes\":7666,\"connectionSerialNumber\":510031,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"1c2f362b263a9737e321db6e6b7b4e43\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"30548\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:38+00:00\", \"time\": \"2024-02-25T03:38:38+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"40.77.167.235\",\"clientPort\":8134,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=12046&rev=0&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=12046&rev=0&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":344,\"sentBytes\":488,\"connectionSerialNumber\":510033,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"8c5de7db1ef3b8
1ae73cf407618d4f4b\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:38:37+00:00\", \"time\": \"2024-02-
25T03:38:37+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"40.77.167.235\",\"clientPort\":8128,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":369,\"sentBytes\":7666,\"connectionSerialNumber\":510031,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"1c2f362b263a9737e321db6e6b7b4e43\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"30548\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:38+00:00\", \"time\": \"2024-02-25T03:38:38+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"40.77.167.235\",\"clientPort\":8134,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=12046&rev=0&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=12046&rev=0&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":344,\"sentBytes\":488,\"connectionSerialNumber\":510033,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"8c5de7db1ef3b8
1ae73cf407618d4f4b\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:39:02,313][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:38:37+00:00", "timeStamp"=>"2024-02-25T03:38:37+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>8128,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"1c2f362b263a9737e321db6e6b7b4e43", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"40.77.167.235",
"httpStatus"=>200, "sentBytes"=>7666,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510031, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>369,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"30548", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.060"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:38:38+00:00",
"timeStamp"=>"2024-02-25T03:38:38+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>8134, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"8c5de7db1ef3b81ae73cf407618d4f4b",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=12046&rev=0&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"40.77.167.235", "httpStatus"=>301, "sentBytes"=>488,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>510033, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>344,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&namber=12046&rev=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:39:02.260979111Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:37+00:00\", \"time\": \"2024-02-25T03:38:37+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"40.77.167.235\",\"clientPort\":8128,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":369,\"sentBytes\":7666,\"connectionSerialNumber\":510031,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"1c2f362b263a9737e321db6e6b7b4e43\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"30548\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:38:38+00:00\", \"time\": \"2024-02-25T03:38:38+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"40.77.167.235\",\"clientPort\":8134,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=12046&rev=0&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=12046&rev=0&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":344,\"sentBytes\":488,\"connectionSerialNumber\":510033,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"8c5de7db1ef3b8
1ae73cf407618d4f4b\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:38:37+00:00\", \"time\": \"2024-02-
25T03:38:37+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"40.77.167.235\",\"clientPort\":8128,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&
no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":369,\"sentBytes\":7666,\"connectionSerialNumber\":510031,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"1c2f362b263a9737e321db6e6b7b4e43\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"30548\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-25T03:38:38+00:00\",
\"time\": \"2024-02-25T03:38:38+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"40.77.167.235\",\"clientPort\":8134,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=12046&rev=0&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=12046&rev=0&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":344,\"sentBytes\":488,\"connectionSerialNumber\":510033,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"8c5de7db1ef3b8
1ae73cf407618d4f4b\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:39:02,318][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:37+00:00", "timeStamp"=>"2024-02-
25T03:38:37+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>8128,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"1c2f362b263a9737e321db6e6b7b4e43", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"40.77.167.235",
"httpStatus"=>200, "sentBytes"=>7666,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510031, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>369,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=1936&namber=5789364&space=0&rev=1&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"30548", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.060"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:39:02,318][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:38+00:00", "timeStamp"=>"2024-02-
25T03:38:38+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>8134, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"8c5de7db1ef3b81ae73cf407618d4f4b", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=12046&rev=0&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"40.77.167.235", "httpStatus"=>301, "sentBytes"=>488,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>510033, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>344,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&namber=12046&rev=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:39:02,328][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>19767, :content_length=>2706, :batch_offset=>0}
[2024-02-25T03:39:03,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:03,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25269
[2024-02-25T03:39:03,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20085
[2024-02-25T03:39:03,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25200
[2024-02-25T03:39:03,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25219
[2024-02-25T03:39:03,401][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25268
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20084
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25199
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25218
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:03,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:03,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:03,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:39:03,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:03,486][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:39:03,486][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:39:03,486][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:39:03,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:03,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:03,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:06,629][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:39:06.629063362Z], remaining: [55] secs
[2024-02-25T03:39:06,629][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:39:06.629341768Z], remaining: [55] secs
[2024-02-25T03:39:06,655][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.005075402S`)
[2024-02-25T03:39:06,655][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.005167705S`)
[2024-02-25T03:39:06,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:06,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:06,723][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:07,020][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:07,020][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20268
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25084
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20199
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20218
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:39:08,402][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20267
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25083
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20198
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20217
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:39:08,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:08,601][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:39:08,601][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:39:08,601][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:39:08,620][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:39:08,620][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:39:08,620][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:39:08,670][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:39:08,670][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:39:08,670][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:39:09,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:09,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:09,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:12,025][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:12,025][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:12,418][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:39:12.418681345Z], remaining: [44] secs
[2024-02-25T03:39:12,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:12,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:12,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25267
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20083
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25198
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25217
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25267
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20083
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25198
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25217
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:13,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:39:13,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:13,486][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:39:13,487][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:39:13,487][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:39:14,257][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:39:14,260][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336277432//1261943
[2024-02-25T03:39:14,260][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336277432//1261943
[2024-02-25T03:39:14,260][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 3314 bytes.
[2024-02-25T03:39:14,311][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:39:14.259795835Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:46+00:00\", \"time\": \"2024-02-25T03:38:46+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"114.119.157.96\",\"clientPort\":26899,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=653134&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=653134&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":558,\"sentBytes\":488,\"connectionSerialNumber\":510035,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"4814fdc2851761
e0daed611487ae47d1\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:46+00:00\", \"time\": \"2024-02-
25T03:38:46+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"114.119.157.96\",\"clientPort\":37291,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=653134&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=653134&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":441,\"sentBytes\":5977,\"connectionSerialNumber\":510036,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.076,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"689b23ee2ad00daf4ef22ccecdde45f9\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.076\",\"upst
reamSourcePort\":\"30548\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:38:46+00:00\", \"time\": \"2024-02-
25T03:38:46+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"114.119.157.96\",\"clientPort\":26899,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=653134&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=653134&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":558,\"sentBytes\":488,\"connectionSerialNumber\":510035,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"4814fdc2851761
e0daed611487ae47d1\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:46+00:00\", \"time\": \"2024-02-
25T03:38:46+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"114.119.157.96\",\"clientPort\":37291,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=653134&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=653134&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":441,\"sentBytes\":5977,\"connectionSerialNumber\":510036,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.076,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"689b23ee2ad00daf4ef22ccecdde45f9\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.076\",\"upst
reamSourcePort\":\"30548\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:39:14,313][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:38:46+00:00", "timeStamp"=>"2024-02-25T03:38:46+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>26899, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"4814fdc2851761e0daed611487ae47d1",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=653134&page&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"114.119.157.96", "httpStatus"=>301, "sentBytes"=>488,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>510035, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>558,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=653134&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:38:46+00:00", "timeStamp"=>"2024-02-25T03:38:46+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>37291,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.76e-1,
"transactionId"=>"689b23ee2ad00daf4ef22ccecdde45f9", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=653134&page&no=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"114.119.157.96", "httpStatus"=>200,
"sentBytes"=>5977, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510036, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>441,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=653134&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"30548", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.076"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:39:14.259795835Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:38:46+00:00\", \"time\": \"2024-02-25T03:38:46+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"114.119.157.96\",\"clientPort\":26899,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=653134&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=653134&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":558,\"sentBytes\":488,\"connectionSerialNumber\":510035,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"4814fdc2851761
e0daed611487ae47d1\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:46+00:00\", \"time\": \"2024-02-
25T03:38:46+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"114.119.157.96\",\"clientPort\":37291,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=653134&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=653134&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":441,\"sentBytes\":5977,\"connectionSerialNumber\":510036,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.076,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"689b23ee2ad00daf4ef22ccecdde45f9\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.076\",\"upst
reamSourcePort\":\"30548\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:38:46+00:00\", \"time\": \"2024-02-
25T03:38:46+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"114.119.157.96\",\"clientPort\":26899,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=653134&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=653134&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":558,\"sentBytes\":488,\"connectionSerialNumber\":510035,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"4814fdc2851761
e0daed611487ae47d1\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:38:46+00:00\", \"time\": \"2024-02-
25T03:38:46+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"114.119.157.96\",\"clientPort\":37291,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=653134&page&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=653134&page&no=0\",\"userAgent\":\"Mo
zilla\\/5.0
(compatible;PetalBot;+https:\\/\\/webmaster.petalsearch.com\\/site\\/
petalbot)\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus
\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":441,\"sentBytes\":5977,\"connectionSerialNumber\":510036,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.076,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"689b23ee2ad00daf4ef22ccecdde45f9\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.076\",\"upst
reamSourcePort\":\"30548\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:39:14,314][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:46+00:00", "timeStamp"=>"2024-02-
25T03:38:46+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>26899, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"4814fdc2851761e0daed611487ae47d1", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=653134&page&no=0", "WAFEvaluationTime"=>"", "serverStatus"=>"",
"clientIP"=>"114.119.157.96", "httpStatus"=>301, "sentBytes"=>488,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>510035, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>558,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=653134&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:39:14,315][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:38:46+00:00", "timeStamp"=>"2024-02-
25T03:38:46+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>37291,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.76e-1,
"transactionId"=>"689b23ee2ad00daf4ef22ccecdde45f9", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=653134&page&no=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"114.119.157.96", "httpStatus"=>200,
"sentBytes"=>5977, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510036, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>441,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=res&namber=653134&page&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0
(compatible;PetalBot;+https://webmaster.petalsearch.com/site/petalbot)",
"upstreamSourcePort"=>"30548", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.076"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:39:14,325][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>18626, :content_length=>2424, :batch_offset=>0}
[2024-02-25T03:39:14,343][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:39:14.343342158Z], remaining: [60] secs
[2024-02-25T03:39:15,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:15,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:15,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:16,660][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.03141474S`)
[2024-02-25T03:39:16,660][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.031392039S`)
[2024-02-25T03:39:16,660][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.031397139S`)
[2024-02-25T03:39:16,660][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.03139944S`)
[2024-02-25T03:39:16,660][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.03140524S`)
[2024-02-25T03:39:17,030][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:17,030][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:18,403][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20266
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25083
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20197
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20216
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20266
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25083
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20197
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20216
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:39:18,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:18,601][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:39:18,601][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:39:18,602][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:39:18,621][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:39:18,621][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:39:18,621][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:39:18,670][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:39:18,670][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:39:18,670][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:39:18,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:18,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:18,725][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.03105262S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.031077421S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.031063021S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.03105692S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.031056321S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.031050121S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.031071921S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.03107052S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.031043419S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.031073221S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.03106152S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.031054921S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.03104002S`)
[2024-02-25T03:39:21,663][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.031035419S`)
[2024-02-25T03:39:21,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:21,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:21,725][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:22,042][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:22,042][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25266
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20083
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25266
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25197
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20083
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25217
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25197
[2024-02-25T03:39:23,404][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25217
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:23,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:23,487][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:39:23,487][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:39:23,487][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:39:24,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:24,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:24,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:26,665][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.005283707S`)
[2024-02-25T03:39:26,665][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.005317208S`)
[2024-02-25T03:39:26,665][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.005321208S`)
[2024-02-25T03:39:26,666][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.031383315S`)
[2024-02-25T03:39:26,666][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.031353315S`)
[2024-02-25T03:39:27,047][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:27,049][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:27,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:27,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:27,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:27,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20265
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20265
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25082
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20196
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20216
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:28,405][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25082
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20195
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20215
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:39:28,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:28,598][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[98]
[2024-02-25T03:39:28,599][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - token renewed
[2024-02-25T03:39:28,602][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:39:28,602][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:39:28,602][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:39:28,621][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:39:28,621][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:39:28,621][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:39:28,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:39:28,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:39:28,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:39:30,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:30,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:30,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:31,668][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.00590632S`)
[2024-02-25T03:39:31,670][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.00727815S`)
[2024-02-25T03:39:31,670][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.007346052S`)
[2024-02-25T03:39:31,670][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.00729515S`)
[2024-02-25T03:39:31,670][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.007314151S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.007817762S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.007878763S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.007916664S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.007901963S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.007902864S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.007912764S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.008002266S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.008003566S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.008006066S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.008016666S`)
[2024-02-25T03:39:31,671][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.008029667S`)
[2024-02-25T03:39:32,054][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:32,054][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:32,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25265
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20081
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25196
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25215
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25265
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20081
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25196
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25215
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:39:33,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:33,422][DEBUG]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkFlow
senderName[cbs], linkName[cbs:sender], unsettled[1], credit[98]
[2024-02-25T03:39:33,424][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - token renewed
[2024-02-25T03:39:33,487][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:39:33,487][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:39:33,487][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:39:33,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:33,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:33,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:36,673][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.007444454S`)
[2024-02-25T03:39:36,673][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.007572856S`)
[2024-02-25T03:39:36,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:36,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:36,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:37,059][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:37,059][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:38,406][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20264
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20264
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25080
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20195
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20214
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25080
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20195
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20214
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:39:38,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:38,602][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:39:38,602][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:39:38,602][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:39:38,622][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:39:38,622][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:39:38,622][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:39:38,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:39:38,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:39:38,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:39:39,352][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:39:39.351951274Z], remaining: [34] secs
[2024-02-25T03:39:39,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:39,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:39,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:41,422][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:39:41,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313474464//1261843
[2024-02-25T03:39:41,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313474464//1261843
[2024-02-25T03:39:41,425][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 3737 bytes.
[2024-02-25T03:39:41,475][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:39:41.424146109Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8052,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw1\\/submit?
cid=000892\",\"requestUri\":\"\\/cs\\/gw1\\/
submit\",\"requestQuery\":\"cid=000892\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":6938,\"sentBytes\":381,\"connectionSerialNumber\":510059,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.181,\"WAFEvalua
tionTime\":\"0.008\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"d6f875adfac8b66a5340dcdab6d
94d8e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.112\",\"ups
treamSourcePort\":\"17180\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8054,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw2\\/submit?
cid=000892\",\"requestUri\":\"\\/cs\\/gw2\\/
submit\",\"requestQuery\":\"cid=000892\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":627,\"sentBytes\":381,\"connectionSerialNumber\":510061,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.007,\"WAFEvaluat
ionTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"f5c8bb501e512be33e4e83dc6cc
f4c8e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"17180\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:39:12+00:00\", \"time\": \"2024-02-
25T03:39:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8052,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw1\\/submit?
cid=000892\",\"requestUri\":\"\\/cs\\/gw1\\/
submit\",\"requestQuery\":\"cid=000892\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":6938,\"sentBytes\":381,\"connectionSerialNumber\":510059,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.181,\"WAFEvalua
tionTime\":\"0.008\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"d6f875adfac8b66a5340dcdab6d
94d8e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.112\",\"ups
treamSourcePort\":\"17180\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8054,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw2\\/submit?
cid=000892\",\"requestUri\":\"\\/cs\\/gw2\\/
submit\",\"requestQuery\":\"cid=000892\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":627,\"sentBytes\":381,\"connectionSerialNumber\":510061,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.007,\"WAFEvaluat
ionTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"f5c8bb501e512be33e4e83dc6cc
f4c8e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"17180\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}"}}}
[2024-02-25T03:39:41,476][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:39:12+00:00", "timeStamp"=>"2024-02-25T03:39:12+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8052,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.181e0,
"transactionId"=>"d6f875adfac8b66a5340dcdab6d94d8e", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw1/submit?cid=000892",
"WAFEvaluationTime"=>"0.008", "serverStatus"=>"302", "clientIP"=>"218.13.194.194",
"httpStatus"=>302, "sentBytes"=>381, "requestUri"=>"/cs/gw1/submit",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>510059,
"contentType"=>"application/x-www-form-urlencoded",
"originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>6938,
"httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"cid=000892",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"17180",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.112"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:39:12+00:00", "timeStamp"=>"2024-02-25T03:39:12+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8054,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.7e-2,
"transactionId"=>"f5c8bb501e512be33e4e83dc6ccf4c8e", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw2/submit?cid=000892",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"302", "clientIP"=>"218.13.194.194",
"httpStatus"=>302, "sentBytes"=>381, "requestUri"=>"/cs/gw2/submit",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>510061,
"contentType"=>"application/x-www-form-urlencoded",
"originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>627,
"httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"cid=000892",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"17180",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.004"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}], "@timestamp"=>2024-02-
25T03:39:41.424146109Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8052,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw1\\/submit?
cid=000892\",\"requestUri\":\"\\/cs\\/gw1\\/
submit\",\"requestQuery\":\"cid=000892\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":6938,\"sentBytes\":381,\"connectionSerialNumber\":510059,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.181,\"WAFEvalua
tionTime\":\"0.008\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"d6f875adfac8b66a5340dcdab6d
94d8e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.112\",\"ups
treamSourcePort\":\"17180\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8054,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw2\\/submit?
cid=000892\",\"requestUri\":\"\\/cs\\/gw2\\/
submit\",\"requestQuery\":\"cid=000892\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":627,\"sentBytes\":381,\"connectionSerialNumber\":510061,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.007,\"WAFEvaluat
ionTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"f5c8bb501e512be33e4e83dc6cc
f4c8e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"17180\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:39:12+00:00\", \"time\": \"2024-02-
25T03:39:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8052,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw1\\/submit?
cid=000892\",\"requestUri\":\"\\/cs\\/gw1\\/
submit\",\"requestQuery\":\"cid=000892\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":6938,\"sentBytes\":381,\"connectionSerialNumber\":510059,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.181,\"WAFEvalua
tionTime\":\"0.008\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"d6f875adfac8b66a5340dcdab6d
94d8e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"ssl
ClientCertificateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serve
rRouted\":\"10.14.10.57:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0
.112\",\"upstreamSourcePort\":\"17180\",\"originalHost\":\"contact.yokogawa.com\",\
"host\":\"contact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8054,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw2\\/submit?
cid=000892\",\"requestUri\":\"\\/cs\\/gw2\\/
submit\",\"requestQuery\":\"cid=000892\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":627,\"sentBytes\":381,\"connectionSerialNumber\":510061,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.007,\"WAFEvaluat
ionTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"f5c8bb501e512be33e4e83dc6cc
f4c8e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"17180\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}}]}"}}}
[2024-02-25T03:39:41,477][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:12+00:00", "timeStamp"=>"2024-02-
25T03:39:12+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8052,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.181e0,
"transactionId"=>"d6f875adfac8b66a5340dcdab6d94d8e", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw1/submit?cid=000892",
"WAFEvaluationTime"=>"0.008", "serverStatus"=>"302", "clientIP"=>"218.13.194.194",
"httpStatus"=>302, "sentBytes"=>381, "requestUri"=>"/cs/gw1/submit",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>510059,
"contentType"=>"application/x-www-form-urlencoded",
"originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>6938,
"httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"cid=000892",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"17180",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.112"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:39:41,481][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:12+00:00", "timeStamp"=>"2024-02-
25T03:39:12+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8054,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.7e-2,
"transactionId"=>"f5c8bb501e512be33e4e83dc6ccf4c8e", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw2/submit?cid=000892",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"302", "clientIP"=>"218.13.194.194",
"httpStatus"=>302, "sentBytes"=>381, "requestUri"=>"/cs/gw2/submit",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>510061,
"contentType"=>"application/x-www-form-urlencoded",
"originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>627,
"httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"cid=000892",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"17180",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.004"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:39:41,492][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>20919, :content_length=>2458, :batch_offset=>0}
[2024-02-25T03:39:42,063][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:42,064][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:42,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:42,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:42,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25264
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20080
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25195
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25264
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25215
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20080
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25195
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25215
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:43,407][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:43,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:43,488][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:39:43,488][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:39:43,488][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:39:45,440][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:39:45,443][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336280816//1261944
[2024-02-25T03:39:45,443][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336280816//1261944
[2024-02-25T03:39:45,443][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 8926 bytes.
[2024-02-25T03:39:45,494][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:39:45.442878934Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:11+00:00\", \"time\": \"2024-02-25T03:39:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15406\",\"requestUri\":\"\\/00\\/
S5YA15406\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":14,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"0ae0033d4906
7793aa655ddaa29a7447\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:39:11+00:00\", \"time\": \"2024-02-
25T03:39:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8049,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-
1551864221.1650765734\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-
1551864221.1650765734\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":441,\"sentBytes\":63536,\"connectionSerialNumber\":509602,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.368,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"737895bbf80095f07664d2530df
c6c74\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.368\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8053,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/error\\/
error1005\",\"requestUri\":\"\\/cs\\/error\\/
error1005\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":475,\"sentBytes\":4602,\"connectionSerialNumber\":509605,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.007,\"WAFEvalua
tionTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"60191b3670a692c2d8386dad4d9
126b4\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8055,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/error\\/
error1005\",\"requestUri\":\"\\/cs\\/error\\/
error1005\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":475,\"sentBytes\":4602,\"connectionSerialNumber\":509607,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.006,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"bc3c200da3a56fdf903ab9ae13e
115db\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:13+00:00\", \"time\": \"2024-02-25T03:39:13+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.209\",\"clientPort\":53156,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=129539&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=129539&no=0&page\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":5977,\"connectionSerialNumber\":509606,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"12bfac849bb5bf89e2e066d432ebdb84\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"42014\",\"origi
nalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.jp.yokogawa.com\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:11+00:00\", \"time\": \"2024-02-25T03:39:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15406\",\"requestUri\":\"\\/00\\/
S5YA15406\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":14,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"0ae0033d4906
7793aa655ddaa29a7447\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:39:11+00:00\", \"time\": \"2024-02-
25T03:39:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8049,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-
1551864221.1650765734\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-
1551864221.1650765734\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":441,\"sentBytes\":63536,\"connectionSerialNumber\":509602,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.368,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"737895bbf80095f07664d2530df
c6c74\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.368\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8053,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/error\\/
error1005\",\"requestUri\":\"\\/cs\\/error\\/
error1005\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":475,\"sentBytes\":4602,\"connectionSerialNumber\":509605,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.007,\"WAFEvalua
tionTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"60191b3670a692c2d8386dad4d9
126b4\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8055,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/error\\/
error1005\",\"requestUri\":\"\\/cs\\/error\\/
error1005\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":475,\"sentBytes\":4602,\"connectionSerialNumber\":509607,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.006,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"bc3c200da3a56fdf903ab9ae13e
115db\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:13+00:00\", \"time\": \"2024-02-25T03:39:13+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.209\",\"clientPort\":53156,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=129539&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=129539&no=0&page\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":5977,\"connectionSerialNumber\":509606,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"12bfac849bb5bf89e2e066d432ebdb84\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"42014\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:39:45,496][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:39:11+00:00", "timeStamp"=>"2024-02-25T03:39:11+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"0ae0033d49067793aa655ddaa29a7447",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15406",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15406",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1005,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>14,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, {"time"=>"2024-02-
25T03:39:11+00:00", "timeStamp"=>"2024-02-25T03:39:11+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8049,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.368e0,
"transactionId"=>"737895bbf80095f07664d2530dfc6c74", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-1551864221.1650765734",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"218.13.194.194",
"httpStatus"=>200, "sentBytes"=>63536, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509602,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>441, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-1551864221.1650765734",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"58724",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.368"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:39:12+00:00", "timeStamp"=>"2024-02-25T03:39:12+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8053,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.7e-2,
"transactionId"=>"60191b3670a692c2d8386dad4d9126b4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/error/error1005", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"218.13.194.194", "httpStatus"=>200,
"sentBytes"=>4602, "requestUri"=>"/cs/error/error1005",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509605,
"contentType"=>"application/x-www-form-urlencoded",
"originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>475,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"58724",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.004"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:39:12+00:00", "timeStamp"=>"2024-02-25T03:39:12+00:00",
"backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8055,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-2,
"transactionId"=>"bc3c200da3a56fdf903ab9ae13e115db", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/error/error1005", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"218.13.194.194", "httpStatus"=>200,
"sentBytes"=>4602, "requestUri"=>"/cs/error/error1005",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509607,
"contentType"=>"application/x-www-form-urlencoded",
"originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>475,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"58724",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.004"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, {"time"=>"2024-02-
25T03:39:13+00:00", "timeStamp"=>"2024-02-25T03:39:13+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>53156,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.62e-1,
"transactionId"=>"12bfac849bb5bf89e2e066d432ebdb84", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=129539&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"85.208.96.209", "httpStatus"=>200,
"sentBytes"=>5977, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509606, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>357,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=129539&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"42014",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:39:45.442878934Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:11+00:00\", \"time\": \"2024-02-25T03:39:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\":
\"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15406\",\"requestUri\":\"\\/00\\/
S5YA15406\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":14,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"0ae0033d4906
7793aa655ddaa29a7447\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:39:11+00:00\", \"time\": \"2024-02-
25T03:39:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8049,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-
1551864221.1650765734\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-
1551864221.1650765734\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":441,\"sentBytes\":63536,\"connectionSerialNumber\":509602,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.368,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"737895bbf80095f07664d2530df
c6c74\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.368\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8053,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/error\\/
error1005\",\"requestUri\":\"\\/cs\\/error\\/
error1005\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":475,\"sentBytes\":4602,\"connectionSerialNumber\":509605,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.007,\"WAFEvalua
tionTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"60191b3670a692c2d8386dad4d9
126b4\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8055,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/error\\/
error1005\",\"requestUri\":\"\\/cs\\/error\\/
error1005\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":475,\"sentBytes\":4602,\"connectionSerialNumber\":509607,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.006,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"bc3c200da3a56fdf903ab9ae13e
115db\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:13+00:00\", \"time\": \"2024-02-25T03:39:13+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.209\",\"clientPort\":53156,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=129539&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=129539&no=0&page\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":5977,\"connectionSerialNumber\":509606,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"12bfac849bb5bf89e2e066d432ebdb84\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"42014\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:39:11+00:00\", \"time\": \"2024-02-
25T03:39:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWit
hArgs\":\"\\/00\\/S5YA15406\",\"requestUri\":\"\\/00\\/
S5YA15406\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":14,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"0ae0033d4906
7793aa655ddaa29a7447\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:39:11+00:00\", \"time\": \"2024-02-
25T03:39:11+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8049,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/gw?c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-
1551864221.1650765734\",\"requestUri\":\"\\/cs\\/gw\",\"requestQuery\":\"c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-
1551864221.1650765734\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":441,\"sentBytes\":63536,\"connectionSerialNumber\":509602,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.368,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"737895bbf80095f07664d2530df
c6c74\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.368\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8053,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/error\\/
error1005\",\"requestUri\":\"\\/cs\\/error\\/
error1005\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":475,\"sentBytes\":4602,\"connectionSerialNumber\":509605,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.007,\"WAFEvalua
tionTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"60191b3670a692c2d8386dad4d9
126b4\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:12+00:00\", \"time\": \"2024-02-25T03:39:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"rul
eName\": \"APG01_Listener09_HTTPS_ContactSystem\", \"backendPoolName\": \"APG01_Bac
kendPool09_ContactSystem\", \"backendSettingName\": \"APG01_HTTP09_ContactSystem\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGateway
AccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"218.13.194.194\",\"clientPort\":8055,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cs\\/error\\/
error1005\",\"requestUri\":\"\\/cs\\/error\\/
error1005\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/78.0.3904.108
Safari\\/537.36\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":475,\"sentBytes\":4602,\"connectionSerialNumber\":509607,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0.006,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy09_ContactSystem\",\"transactionId\":\"bc3c200da3a56fdf903ab9ae13e
115db\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.10.57:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.004\",\"ups
treamSourcePort\":\"58724\",\"originalHost\":\"contact.yokogawa.com\",\"host\":\"co
ntact.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:39:13+00:00\", \"time\": \"2024-02-25T03:39:13+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.209\",\"clientPort\":53156,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=129539&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=129539&no=0&page\",\"userAgent\":\"Mo
zilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":357,\"sentBytes\":5977,\"connectionSerialNumber\":509606,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.062,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"12bfac849bb5bf89e2e066d432ebdb84\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"42014\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:39:45,502][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:11+00:00", "timeStamp"=>"2024-02-
25T03:39:11+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"0ae0033d49067793aa655ddaa29a7447",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15406",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15406",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1005,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>14,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:39:45,502][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:11+00:00", "timeStamp"=>"2024-02-
25T03:39:11+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8049,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.368e0,
"transactionId"=>"737895bbf80095f07664d2530dfc6c74", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/gw?c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-1551864221.1650765734",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"218.13.194.194",
"httpStatus"=>200, "sentBytes"=>63536, "requestUri"=>"/cs/gw",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509602,
"contentType"=>"", "originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>441, "httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"c-
id=000892&p28=&_ga=2.124410250.1431691701.1650765734-1551864221.1650765734",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"58724",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.368"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:39:45,503][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:12+00:00", "timeStamp"=>"2024-02-
25T03:39:12+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8053,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.7e-2,
"transactionId"=>"60191b3670a692c2d8386dad4d9126b4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/error/error1005", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"218.13.194.194", "httpStatus"=>200,
"sentBytes"=>4602, "requestUri"=>"/cs/error/error1005",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509605,
"contentType"=>"application/x-www-form-urlencoded",
"originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>475,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"58724",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.004"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:39:45,503][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:12+00:00", "timeStamp"=>"2024-02-
25T03:39:12+00:00", "backendPoolName"=>"APG01_BackendPool09_ContactSystem",
"listenerName"=>"APG01_Listener09_HTTPS_ContactSystem",
"properties"=>{"host"=>"contact.yokogawa.com", "clientPort"=>8055,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.14.10.57:80", "sslCipher"=>"ECDHE-
RSA-AES256-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-2,
"transactionId"=>"bc3c200da3a56fdf903ab9ae13e115db", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cs/error/error1005", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"218.13.194.194", "httpStatus"=>200,
"sentBytes"=>4602, "requestUri"=>"/cs/error/error1005",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/
APG01V2_WAFPolicy09_ContactSystem", "connectionSerialNumber"=>509607,
"contentType"=>"application/x-www-form-urlencoded",
"originalHost"=>"contact.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>475,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.108 Safari/537.36", "upstreamSourcePort"=>"58724",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.004"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP09_ContactSystem",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_Listener09_HTTPS_ContactSystem"}, :field=>"records"}
[2024-02-25T03:39:45,503][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:13+00:00", "timeStamp"=>"2024-02-
25T03:39:13+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>53156,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.62e-1,
"transactionId"=>"12bfac849bb5bf89e2e066d432ebdb84", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=129539&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"85.208.96.209", "httpStatus"=>200,
"sentBytes"=>5977, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509606, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>357,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=129539&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"42014",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:39:45,523][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>5, :payload_size=>109025, :content_length=>7988, :batch_offset=>0}
[2024-02-25T03:39:45,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:45,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:45,723][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:46,678][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.034153427S`)
[2024-02-25T03:39:46,678][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.034117526S`)
[2024-02-25T03:39:46,679][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.034092726S`)
[2024-02-25T03:39:46,679][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.034081925S`)
[2024-02-25T03:39:46,679][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.034074726S`)
[2024-02-25T03:39:47,069][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:47,069][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:47,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20263
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25080
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20194
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20214
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20263
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25080
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20194
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20214
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:48,408][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:48,409][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:39:48,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:48,602][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:39:48,603][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:39:48,603][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:39:48,622][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:39:48,622][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:39:48,622][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:39:48,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:39:48,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:39:48,671][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:39:48,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:48,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:48,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:50,907][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:39:50,909][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313478272//1261844
[2024-02-25T03:39:50,909][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313478272//1261844
[2024-02-25T03:39:50,909][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 1452 bytes.
[2024-02-25T03:39:50,960][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:39:50.908577345Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:23+00:00\", \"time\": \"2024-02-25T03:39:23+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15407\",\"requestUri\":\"\\/00\\/
S5YA15407\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":15,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"7cee7ece660f
53cae2fe7e0d66b2b8dd\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:23+00:00\", \"time\": \"2024-02-25T03:39:23+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15407\",\"requestUri\":\"\\/00\\/
S5YA15407\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":15,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"7cee7ece660f
53cae2fe7e0d66b2b8dd\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:39:50,960][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:39:23+00:00", "timeStamp"=>"2024-02-25T03:39:23+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"7cee7ece660f53cae2fe7e0d66b2b8dd",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15407",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15407",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1005,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>15,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}], "@timestamp"=>2024-02-
25T03:39:50.908577345Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:23+00:00\", \"time\": \"2024-02-25T03:39:23+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15407\",\"requestUri\":\"\\/00\\/
S5YA15407\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":15,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"7cee7ece660f
53cae2fe7e0d66b2b8dd\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:23+00:00\", \"time\": \"2024-02-25T03:39:23+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15407\",\"requestUri\":\"\\/00\\/
S5YA15407\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":15,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"7cee7ece660f
53cae2fe7e0d66b2b8dd\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:39:50,961][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:23+00:00", "timeStamp"=>"2024-02-
25T03:39:23+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"7cee7ece660f53cae2fe7e0d66b2b8dd",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15407",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15407",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1005,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>15,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:39:50,968][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>5102, :content_length=>1538, :batch_offset=>0}
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.033212394S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.033217395S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.033209694S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.033229194S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.033225195S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.033159293S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.033121092S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.033117993S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.033128192S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.033122793S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.033129793S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.033140393S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.033140893S`)
[2024-02-25T03:39:51,681][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.033114092S`)
[2024-02-25T03:39:51,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:51,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:51,728][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:52,081][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:52,081][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:52,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:53,136][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - schedule operation timer, current:
[2024-02-25T03:39:53.136833786Z], remaining: [60] secs
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25261
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20078
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25193
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25261
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25212
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20078
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25193
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25212
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:53,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:53,488][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:39:53,488][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:39:53,488][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:39:54,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:54,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:54,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:56,683][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.004660993S`)
[2024-02-25T03:39:56,683][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.004643893S`)
[2024-02-25T03:39:56,683][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.004654492S`)
[2024-02-25T03:39:56,683][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.033192372S`)
[2024-02-25T03:39:56,683][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.033173672S`)
[2024-02-25T03:39:57,086][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:39:57,087][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:39:57,263][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:39:57.263760374Z], remaining: [48] secs
[2024-02-25T03:39:57,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:39:57,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:39:57,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:39:57,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:39:58,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:39:58,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:39:58,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20261
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25077
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20192
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20211
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:39:58,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:39:58,410][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20261
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25076
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20191
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20210
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:39:58,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 2
[2024-02-25T03:39:58,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:39:58,603][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:39:58,603][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:39:58,603][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:39:58,622][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:39:58,622][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:39:58,623][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:39:58,672][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:39:58,672][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:39:58,672][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:40:00,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:00,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:00,720][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:01,686][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.005463201S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.006325719S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.006391822S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.006245618S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.006253119S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.006229218S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.006235418S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.006233017S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.006236418S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.006231917S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.006219918S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.006223217S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.006222217S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.006210017S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.006215617S`)
[2024-02-25T03:40:01,687][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.006193117S`)
[2024-02-25T03:40:02,091][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:02,091][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:02,261][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:40:02.261824689Z], remaining: [48] secs
[2024-02-25T03:40:02,262][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:40:02.262107395Z], remaining: [48] secs
[2024-02-25T03:40:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25261
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20077
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25192
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25211
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:03,411][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:03,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:40:03,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25259
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20075
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25190
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25209
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:40:03,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:03,489][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:40:03,489][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:40:03,489][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:40:03,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:03,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:03,721][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:04,920][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:40:04,922][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313479792//1261845
[2024-02-25T03:40:04,922][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313479792//1261845
[2024-02-25T03:40:04,922][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 3410 bytes.
[2024-02-25T03:40:04,972][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:40:04.921571086Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:30+00:00\", \"time\": \"2024-02-25T03:39:30+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15407\",\"requestUri\":\"\\/00\\/
S5YA15407\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":16,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"06e50abbadb7
e36e596efc1c4c27f7da\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:39:38+00:00\", \"time\": \"2024-02-
25T03:39:38+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.132\",\"clientPort\":54222,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":371,\"sentBytes\":7688,\"connectionSerialNumber\":509613,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.075,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"bfb06d64d49e52c1cfcfd3aa2bd7e1d4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.072\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:39:30+00:00\", \"time\": \"2024-02-
25T03:39:30+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15407\",\"requestUri\":\"\\/00\\/
S5YA15407\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":16,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"06e50abbadb7
e36e596efc1c4c27f7da\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:39:38+00:00\", \"time\": \"2024-02-
25T03:39:38+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.132\",\"clientPort\":54222,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":371,\"sentBytes\":7688,\"connectionSerialNumber\":509613,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.075,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"bfb06d64d49e52c1cfcfd3aa2bd7e1d4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.072\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:40:04,973][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:39:30+00:00", "timeStamp"=>"2024-02-25T03:39:30+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"06e50abbadb7e36e596efc1c4c27f7da",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15407",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15407",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>16,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, {"time"=>"2024-02-
25T03:39:38+00:00", "timeStamp"=>"2024-02-25T03:39:38+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>54222,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.75e-1,
"transactionId"=>"bfb06d64d49e52c1cfcfd3aa2bd7e1d4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=0&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"40.77.167.132",
"httpStatus"=>200, "sentBytes"=>7688,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509613, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>371,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"18210", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.072"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:40:04.921571086Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:30+00:00\", \"time\": \"2024-02-25T03:39:30+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15407\",\"requestUri\":\"\\/00\\/
S5YA15407\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":16,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"06e50abbadb7
e36e596efc1c4c27f7da\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:39:38+00:00\", \"time\": \"2024-02-
25T03:39:38+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.132\",\"clientPort\":54222,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":371,\"sentBytes\":7688,\"connectionSerialNumber\":509613,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.075,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"bfb06d64d49e52c1cfcfd3aa2bd7e1d4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.072\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:39:30+00:00\", \"time\": \"2024-02-
25T03:39:30+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15407\",\"requestUri\":\"\\/00\\/
S5YA15407\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1004,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":16,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"06e50abbadb7
e36e596efc1c4c27f7da\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:39:38+00:00\", \"time\": \"2024-02-
25T03:39:38+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.132\",\"clientPort\":54222,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUr
i\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=
0&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":371,\"sentBytes\":7688,\"connectionSerialNumber\":509613,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.007,\"timeTaken\":0.075,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"bfb06d64d49e52c1cfcfd3aa2bd7e1d4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.072\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:40:04,975][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:30+00:00", "timeStamp"=>"2024-02-
25T03:39:30+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"06e50abbadb7e36e596efc1c4c27f7da",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15407",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15407",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1004,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>16,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:40:04,975][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:38+00:00", "timeStamp"=>"2024-02-
25T03:39:38+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>54222,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.75e-1,
"transactionId"=>"bfb06d64d49e52c1cfcfd3aa2bd7e1d4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=0&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"40.77.167.132",
"httpStatus"=>200, "sentBytes"=>7688,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509613, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>371,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=144607&namber=5789364&space=0&rev=0&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.7e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"18210", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.072"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:40:04,984][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>19310, :content_length=>2976, :batch_offset=>0}
[2024-02-25T03:40:06,690][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.006402038S`)
[2024-02-25T03:40:06,690][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.006490841S`)
[2024-02-25T03:40:06,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:06,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:06,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:07,096][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:07,097][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20260
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25077
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20191
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20210
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:40:08,412][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:08,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20258
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25075
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20189
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20208
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:40:08,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:08,603][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:40:08,603][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:40:08,603][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:40:08,623][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:40:08,623][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:40:08,623][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:40:08,672][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:40:08,672][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:40:08,672][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:40:09,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:09,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:09,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:12,105][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:12,105][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:12,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:12,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:12,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:12,981][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is processing a batch of
size 1.
[2024-02-25T03:40:12,983][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Saving checkpoint: 6725945907424//1542268
[2024-02-25T03:40:12,983][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: updateCheckpoint() 6725945907424//1542268
[2024-02-25T03:40:12,983][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 finished processing a batch
of 5642 bytes.
[2024-02-25T03:40:12,984][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - schedule operation timer, current:
[2024-02-25T03:40:12.984039682Z], remaining: [60] secs
[2024-02-25T03:40:13,034][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:40:12.983123862Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:42+00:00\", \"time\": \"2024-02-25T03:39:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":2106,\"sentBytes\":29806,\"connectionSerialNumber\":535665,
\"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":1.32,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"249f8653d29d72fd969cd1e82c4af24
7\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.320\",\"up
streamSourcePort\":\"54324\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:39:43+00:00\", \"time\": \"2024-02-
25T03:39:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2406,\"sentBytes\":748,\"connectionSerialNumber\":535665,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":1.211,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"a1a6110e5941e56d296a6b4def78c42
d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.212\",\"up
streamSourcePort\":\"54324\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:39:43+00:00\", \"time\": \"2024-02-
25T03:39:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2308,\"sentBytes\":1172,\"connectionSerialNumber\":535667,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":1.215,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"5d1e4ae0d733b37d7fb68a8134d64d5
1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.212\",\"up
streamSourcePort\":\"54330\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:42+00:00\", \"time\": \"2024-02-25T03:39:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":2106,\"sentBytes\":29806,\"connectionSerialNumber\":535665,
\"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":1.32,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"249f8653d29d72fd969cd1e82c4af24
7\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.320\",\"up
streamSourcePort\":\"54324\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:39:43+00:00\", \"time\": \"2024-02-
25T03:39:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2406,\"sentBytes\":748,\"connectionSerialNumber\":535665,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":1.211,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Networ
k\\/ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"a1a6110e5941e56d296a6b4def78c42
d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.212\",\"up
streamSourcePort\":\"54324\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:39:43+00:00\", \"time\": \"2024-02-
25T03:39:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2308,\"sentBytes\":1172,\"connectionSerialNumber\":535667,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":1.215,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"5d1e4ae0d733b37d7fb68a8134d64d5
1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.212\",\"up
streamSourcePort\":\"54330\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}}]}"}}}
[2024-02-25T03:40:13,035][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:39:42+00:00", "timeStamp"=>"2024-02-25T03:39:42+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.132e1,
"transactionId"=>"249f8653d29d72fd969cd1e82c4af247", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/FullTextSearchCrm",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>29806, "requestUri"=>"/scrm/FullTextSearchCrm",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"", "originalHost"=>"j-service-
crm.yokogawa.co.jp", "sslEnabled"=>"on", "receivedBytes"=>2106,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"54324", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"1.320"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, {"time"=>"2024-02-
25T03:39:43+00:00", "timeStamp"=>"2024-02-25T03:39:43+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.1211e1,
"transactionId"=>"a1a6110e5941e56d296a6b4def78c42d", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/FullTextSearchCrm",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>748, "requestUri"=>"/scrm/FullTextSearchCrm",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2406, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"54324", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>"1.212"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, {"time"=>"2024-02-
25T03:39:43+00:00", "timeStamp"=>"2024-02-25T03:39:43+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50254, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.1215e1,
"transactionId"=>"5d1e4ae0d733b37d7fb68a8134d64d51", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/FullTextSearchCrm",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>1172, "requestUri"=>"/scrm/FullTextSearchCrm",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535667, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2308, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"54330", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"1.212"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}], "@timestamp"=>2024-02-
25T03:40:12.983123862Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:42+00:00\", \"time\": \"2024-02-25T03:39:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":2106,\"sentBytes\":29806,\"connectionSerialNumber\":535665,
\"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":1.32,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"249f8653d29d72fd969cd1e82c4af24
7\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.320\",\"up
streamSourcePort\":\"54324\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:39:43+00:00\", \"time\": \"2024-02-
25T03:39:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2406,\"sentBytes\":748,\"connectionSerialNumber\":535665,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":1.211,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"a1a6110e5941e56d296a6b4def78c42
d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\"
:\"200\",\"serverResponseLatency\":\"1.212\",\"upstreamSourcePort\":\"54324\",\"ori
ginalHost\":\"j-service-crm.yokogawa.co.jp\",\"host\":\"ymzn-
bww21az010.amzn.ykgw.net\"}},{ \"timeStamp\": \"2024-02-
25T03:39:43+00:00\", \"time\": \"2024-02-25T03:39:43+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2308,\"sentBytes\":1172,\"connectionSerialNumber\":535667,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":1.215,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"5d1e4ae0d733b37d7fb68a8134d64d5
1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.212\",\"up
streamSourcePort\":\"54330\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:39:42+00:00\", \"time\": \"2024-02-25T03:39:42+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":2106,\"sentBytes\":29806,\"connectionSerialNumber\":535665,
\"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":1.32,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"249f8653d29d72fd969cd1e82c4af24
7\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.320\",\"up
streamSourcePort\":\"54324\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:39:43+00:00\", \"time\": \"2024-02-
25T03:39:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2406,\"sentBytes\":748,\"connectionSerialNumber\":535665,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":1.211,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"a1a6110e5941e56d296a6b4def78c42
d\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.212\",\"up
streamSourcePort\":\"54324\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:39:43+00:00\", \"time\": \"2024-02-
25T03:39:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestUri\":\"\\/scrm\\/
FullTextSearchCrm\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2308,\"sentBytes\":1172,\"connectionSerialNumber\":535667,\
"noOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":1.215,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"5d1e4ae0d733b37d7fb68a8134d64d5
1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"1.212\",\"up
streamSourcePort\":\"54330\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}}]}"}}}
[2024-02-25T03:40:13,037][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:42+00:00", "timeStamp"=>"2024-02-
25T03:39:42+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.132e1,
"transactionId"=>"249f8653d29d72fd969cd1e82c4af247", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/FullTextSearchCrm",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>29806, "requestUri"=>"/scrm/FullTextSearchCrm",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"", "originalHost"=>"j-service-
crm.yokogawa.co.jp", "sslEnabled"=>"on", "receivedBytes"=>2106,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"54324", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"1.320"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:13,043][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:43+00:00", "timeStamp"=>"2024-02-
25T03:39:43+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.1211e1,
"transactionId"=>"a1a6110e5941e56d296a6b4def78c42d", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/FullTextSearchCrm",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>748, "requestUri"=>"/scrm/FullTextSearchCrm",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2406, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"54324", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>"1.212"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:13,043][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:39:43+00:00", "timeStamp"=>"2024-02-
25T03:39:43+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50254, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.1215e1,
"transactionId"=>"5d1e4ae0d733b37d7fb68a8134d64d51", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/FullTextSearchCrm",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>1172, "requestUri"=>"/scrm/FullTextSearchCrm",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535667, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2308, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"54330", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"1.212"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:13,053][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>43948, :content_length=>3445, :batch_offset=>0}
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25259
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20076
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25190
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25210
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:40:13,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25258
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20075
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25189
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25209
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:40:13,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:13,489][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:40:13,489][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:40:13,489][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:40:14,260][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:40:14.260470871Z], remaining: [31] secs
[2024-02-25T03:40:14,344][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:40:14.344164887Z], remaining: [60] secs
[2024-02-25T03:40:15,737][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:15,737][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:15,739][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:16,694][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.034525643S`)
[2024-02-25T03:40:16,695][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.034506143S`)
[2024-02-25T03:40:16,695][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.034500043S`)
[2024-02-25T03:40:16,695][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.034493843S`)
[2024-02-25T03:40:16,695][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.034462742S`)
[2024-02-25T03:40:17,110][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:17,110][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20259
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25076
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20190
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20210
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:18,413][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:18,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:18,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:18,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:40:18,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:18,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:18,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20258
[2024-02-25T03:40:18,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25075
[2024-02-25T03:40:18,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20189
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20208
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:40:18,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:18,604][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:40:18,604][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:40:18,604][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:40:18,623][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:40:18,623][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:40:18,623][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:40:18,672][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:40:18,672][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:40:18,673][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:40:18,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:18,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:18,736][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.035169375S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.035111673S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.035129873S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.035128974S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.035170374S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.035176274S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.035158874S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.035157474S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.035165775S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.035130473S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.035125374S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.035123373S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.035122873S`)
[2024-02-25T03:40:21,698][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.035122574S`)
[2024-02-25T03:40:21,727][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:21,728][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:21,730][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:22,122][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:22,122][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25259
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20075
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25190
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25209
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:40:23,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25258
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20074
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25189
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25208
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:40:23,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:23,489][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:40:23,490][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:40:23,490][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:40:24,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:24,725][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:24,734][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:26,700][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.005779652S`)
[2024-02-25T03:40:26,700][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.005786952S`)
[2024-02-25T03:40:26,700][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.005773852S`)
[2024-02-25T03:40:26,701][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.034942387S`)
[2024-02-25T03:40:26,701][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.034925986S`)
[2024-02-25T03:40:27,126][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:27,127][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:27,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:27,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:27,728][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:27,730][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:28,414][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20258
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25075
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20189
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20208
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20258
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25075
[2024-02-25T03:40:28,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20189
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20207
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:40:28,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:28,604][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:40:28,604][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:40:28,604][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:40:28,623][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:40:28,624][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:40:28,624][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:40:28,673][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:40:28,673][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:40:28,673][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:40:30,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:30,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:30,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:31,702][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.005053236S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.005211239S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.005318141S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.00522414S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.00520174S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.005200339S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.005147638S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.005142938S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.005133938S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.005132838S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.005123337S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.005122038S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.005119837S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.005119337S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.005119138S`)
[2024-02-25T03:40:31,703][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.005118637S`)
[2024-02-25T03:40:32,133][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:32,134][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:32,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:33,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:33,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25258
[2024-02-25T03:40:33,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20075
[2024-02-25T03:40:33,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25189
[2024-02-25T03:40:33,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25209
[2024-02-25T03:40:33,415][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25257
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20074
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25188
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25208
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:40:33,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:33,490][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:40:33,490][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:40:33,490][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:40:33,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:33,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:33,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:36,705][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.004277519S`)
[2024-02-25T03:40:36,705][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.004399622S`)
[2024-02-25T03:40:36,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:36,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:36,725][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:37,139][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:37,139][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20257
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25074
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20188
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20208
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20257
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25074
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20188
[2024-02-25T03:40:38,416][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20208
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:40:38,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:38,605][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:40:38,605][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:40:38,605][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:40:38,624][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:40:38,624][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:40:38,624][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:40:38,673][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:40:38,673][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:40:38,673][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:40:39,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:39,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:39,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:42,146][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:42,146][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:42,707][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is processing a batch of
size 1.
[2024-02-25T03:40:42,712][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Saving checkpoint: 6725919638480//1542132
[2024-02-25T03:40:42,712][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: updateCheckpoint() 6725919638480//1542132
[2024-02-25T03:40:42,712][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 finished processing a batch
of 13352 bytes.
[2024-02-25T03:40:42,712][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:40:42.712445170Z], remaining: [60] secs
[2024-02-25T03:40:42,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:42,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:42,731][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:42,763][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:40:42.710970438Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:10+00:00\", \"time\": \"2024-02-25T03:40:10+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1956,\"sentBytes\":21992,\"connectionSerialNumber\":535667,
\"noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0.682,\"WAFEval
uationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"df37dc9863479d956a2a64d67dbd6a6
7\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.680\",\"up
streamSourcePort\":\"36314\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2556,\"sentBytes\":754,\"connectionSerialNumber\":535667,\"
noOfConnectionRequests\":3,\"clientResponseTime\":0.001,\"timeTaken\":0.267,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"67016ead085af180af28fa1eb260e6a
9\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.260\",\"up
streamSourcePort\":\"36314\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2449,\"sentBytes\":1170,\"connectionSerialNumber\":535665,\
"noOfConnectionRequests\":3,\"clientResponseTime\":0,\"timeTaken\":0.265,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"90f20cfbfbfbb2f5c23d9e7fdcb86fd
1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.264\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:12+00:00\", \"time\": \"2024-02-
25T03:40:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":5766,\"sentBytes\":4478,\"connectionSerialNumber\":535665,\
"noOfConnectionRequests\":4,\"clientResponseTime\":0.026,\"timeTaken\":0.313,\"WAFE
valuationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"cb92601425894dc5b68e0597eab9e1f
f\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.308\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42?retURL=%252Fsystem%252FUser
%252FList.xhtml\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-A994-
4699E3B64A42\",\"requestQuery\":\"retURL=%252Fsystem%252FUser
%252FList.xhtml\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":2187,\"sentBytes\":26179,\"connectionSerialNumber\":535665,
\"noOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0.931,\"WAFEval
uationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resource
Groups\\/RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"641b88502a66b3317439844ca62245a
3\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.932\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-
A994-4699E3B64A42\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2614,\"sentBytes\":749,\"connectionSerialNumber\":535665,\"
noOfConnectionRequests\":6,\"clientResponseTime\":0,\"timeTaken\":0.421,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"772a683e801e0951ec3802e4e217509
6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.420\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-
A994-4699E3B64A42\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2596,\"sentBytes\":2874,\"connectionSerialNumber\":535667,\
"noOfConnectionRequests\":4,\"clientResponseTime\":0,\"timeTaken\":0.483,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"5a9c49afe0a5a12e008e8985b557318
0\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.480\",\"up
streamSourcePort\":\"21898\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:10+00:00\", \"time\": \"2024-02-25T03:40:10+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1956,\"sentBytes\":21992,\"connectionSerialNumber\":535667,
\"noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0.682,\"WAFEval
uationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"df37dc9863479d956a2a64d67dbd6a6
7\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.680\",\"up
streamSourcePort\":\"36314\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2556,\"sentBytes\":754,\"connectionSerialNumber\":535667,\"
noOfConnectionRequests\":3,\"clientResponseTime\":0.001,\"timeTaken\":0.267,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"67016ead085af180af28fa1eb260e6a
9\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.260\",\"up
streamSourcePort\":\"36314\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
 Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2449,\"sentBytes\":1170,\"connectionSerialNumber\":535665,\
"noOfConnectionRequests\":3,\"clientResponseTime\":0,\"timeTaken\":0.265,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"90f20cfbfbfbb2f5c23d9e7fdcb86fd
1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.264\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:12+00:00\", \"time\": \"2024-02-
25T03:40:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":5766,\"sentBytes\":4478,\"connectionSerialNumber\":535665,\
"noOfConnectionRequests\":4,\"clientResponseTime\":0.026,\"timeTaken\":0.313,\"WAFE
valuationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"cb92601425894dc5b68e0597eab9e1f
f\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.308\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42?retURL=%252Fsystem%252FUser
%252FList.xhtml\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-A994-
4699E3B64A42\",\"requestQuery\":\"retURL=%252Fsystem%252FUser
%252FList.xhtml\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":2187,\"sentBytes\":26179,\"connectionSerialNumber\":535665,
\"noOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0.931,\"WAFEval
uationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"641b88502a66b3317439844ca62245a
3\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.932\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-
A994-4699E3B64A42\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2614,\"sentBytes\":749,\"connectionSerialNumber\":535665,\"
noOfConnectionRequests\":6,\"clientResponseTime\":0,\"timeTaken\":0.421,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"772a683e801e0951ec3802e4e217509
6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.420\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-
A994-4699E3B64A42\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2596,\"sentBytes\":2874,\"connectionSerialNumber\":535667,\
"noOfConnectionRequests\":4,\"clientResponseTime\":0,\"timeTaken\":0.483,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"5a9c49afe0a5a12e008e8985b557318
0\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.480\",\"up
streamSourcePort\":\"21898\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}}]}"}}}
[2024-02-25T03:40:42,765][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:40:10+00:00", "timeStamp"=>"2024-02-25T03:40:10+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50254, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.682e0,
"transactionId"=>"df37dc9863479d956a2a64d67dbd6a67", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/List", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>21992, "requestUri"=>"/scrm/User/List",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535667, "contentType"=>"", "originalHost"=>"j-service-
crm.yokogawa.co.jp", "sslEnabled"=>"on", "receivedBytes"=>1956,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36314", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>"0.680"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, {"time"=>"2024-02-
25T03:40:10+00:00", "timeStamp"=>"2024-02-25T03:40:10+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50254, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.267e0,
"transactionId"=>"67016ead085af180af28fa1eb260e6a9", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/List", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>754, "requestUri"=>"/scrm/User/List",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535667, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2556, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.1e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36314", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>3,
"serverResponseLatency"=>"0.260"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, {"time"=>"2024-02-
25T03:40:10+00:00", "timeStamp"=>"2024-02-25T03:40:10+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.265e0,
"transactionId"=>"90f20cfbfbfbb2f5c23d9e7fdcb86fd1", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/List", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>1170, "requestUri"=>"/scrm/User/List",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2449, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36326", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>3,
"serverResponseLatency"=>"0.264"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, {"time"=>"2024-02-
25T03:40:12+00:00", "timeStamp"=>"2024-02-25T03:40:12+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.313e0,
"transactionId"=>"cb92601425894dc5b68e0597eab9e1ff", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/List", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>4478, "requestUri"=>"/scrm/User/List",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>5766, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.26e-1,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36326", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>4,
"serverResponseLatency"=>"0.308"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, {"time"=>"2024-02-
25T03:40:17+00:00", "timeStamp"=>"2024-02-25T03:40:17+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.931e0,
"transactionId"=>"641b88502a66b3317439844ca62245a3", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/605171B8-80AB-493A-A994-4699E3B64A42?
retURL=%252Fsystem%252FUser%252FList.xhtml", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>26179, "requestUri"=>"/scrm/User/605171B8-80AB-493A-A994-
4699E3B64A42", "WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-
3f0510c83ca3/resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"", "originalHost"=>"j-service-
crm.yokogawa.co.jp", "sslEnabled"=>"on", "receivedBytes"=>2187,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"retURL=%252Fsystem%252FUser%252FList.xhtml",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36326", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>5,
"serverResponseLatency"=>"0.932"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"},
{"time"=>"2024-02-25T03:40:17+00:00", "timeStamp"=>"2024-02-25T03:40:17+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.421e0,
"transactionId"=>"772a683e801e0951ec3802e4e2175096", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/605171B8-80AB-493A-A994-4699E3B64A42",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>749, "requestUri"=>"/scrm/User/605171B8-80AB-493A-
A994-4699E3B64A42", "WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-
3f0510c83ca3/resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2614, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36326", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>6,
"serverResponseLatency"=>"0.420"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, {"time"=>"2024-02-
25T03:40:17+00:00", "timeStamp"=>"2024-02-25T03:40:17+00:00",
"backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50254, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.483e0,
"transactionId"=>"5a9c49afe0a5a12e008e8985b5573180", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/605171B8-80AB-493A-A994-4699E3B64A42",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>2874, "requestUri"=>"/scrm/User/605171B8-80AB-493A-
A994-4699E3B64A42", "WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-
3f0510c83ca3/resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535667, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2596, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"21898", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>4,
"serverResponseLatency"=>"0.480"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}], "@timestamp"=>2024-02-
25T03:40:42.710970438Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:10+00:00\", \"time\": \"2024-02-25T03:40:10+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1956,\"sentBytes\":21992,\"connectionSerialNumber\":535667,
\"noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0.682,\"WAFEval
uationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"df37dc9863479d956a2a64d67dbd6a6
7\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.680\",\"up
streamSourcePort\":\"36314\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2556,\"sentBytes\":754,\"connectionSerialNumber\":535667,\"
noOfConnectionRequests\":3,\"clientResponseTime\":0.001,\"timeTaken\":0.267,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"67016ead085af180af28fa1eb260e6a
9\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.260\",\"up
streamSourcePort\":\"36314\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2449,\"sentBytes\":1170,\"connectionSerialNumber\":535665,\
"noOfConnectionRequests\":3,\"clientResponseTime\":0,\"timeTaken\":0.265,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"90f20cfbfbfbb2f5c23d9e7fdcb86fd
1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"ser
verStatus\":\"200\",\"serverResponseLatency\":\"0.264\",\"upstreamSourcePort\":\"36
326\",\"originalHost\":\"j-service-crm.yokogawa.co.jp\",\"host\":\"ymzn-
bww21az010.amzn.ykgw.net\"}},{ \"timeStamp\": \"2024-02-
25T03:40:12+00:00\", \"time\": \"2024-02-25T03:40:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":5766,\"sentBytes\":4478,\"connectionSerialNumber\":535665,\
"noOfConnectionRequests\":4,\"clientResponseTime\":0.026,\"timeTaken\":0.313,\"WAFE
valuationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"cb92601425894dc5b68e0597eab9e1f
f\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.308\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42?retURL=%252Fsystem%252FUser
%252FList.xhtml\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-A994-
4699E3B64A42\",\"requestQuery\":\"retURL=%252Fsystem%252FUser
%252FList.xhtml\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":2187,\"sentBytes\":26179,\"connectionSerialNumber\":535665,
\"noOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0.931,\"WAFEval
uationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"641b88502a66b3317439844ca62245a
3\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.932\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-
A994-4699E3B64A42\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2614,\"sentBytes\":749,\"connectionSerialNumber\":535665,\"
noOfConnectionRequests\":6,\"clientResponseTime\":0,\"timeTaken\":0.421,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"772a683e801e0951ec3802e4e217509
6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.420\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-
A994-4699E3B64A42\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2596,\"sentBytes\":2874,\"connectionSerialNumber\":535667,\
"noOfConnectionRequests\":4,\"clientResponseTime\":0,\"timeTaken\":0.483,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"5a9c49afe0a5a12e008e8985b557318
0\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.480\",\"up
streamSourcePort\":\"21898\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:10+00:00\", \"time\": \"2024-02-25T03:40:10+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName\": \"APG02_Rou
tingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14_JServiceCRM\",
\"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1956,\"sentBytes\":21992,\"connectionSerialNumber\":535667,
\"noOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0.682,\"WAFEval
uationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\
\/subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"df37dc9863479d956a2a64d67dbd6a6
7\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.680\",\"up
streamSourcePort\":\"36314\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2556,\"sentBytes\":754,\"connectionSerialNumber\":535667,\"
noOfConnectionRequests\":3,\"clientResponseTime\":0.001,\"timeTaken\":0.267,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"67016ead085af180af28fa1eb260e6a
9\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.260\",\"up
streamSourcePort\":\"36314\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2449,\"sentBytes\":1170,\"connectionSerialNumber\":535665,\
"noOfConnectionRequests\":3,\"clientResponseTime\":0,\"timeTaken\":0.265,\"WAFEvalu
ationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"90f20cfbfbfbb2f5c23d9e7fdcb86fd
1\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.264\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:12+00:00\", \"time\": \"2024-02-
25T03:40:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/
List\",\"requestUri\":\"\\/scrm\\/User\\/
List\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":5766,\"sentBytes\":4478,\"connectionSerialNumber\":535665,\
"noOfConnectionRequests\":4,\"clientResponseTime\":0.026,\"timeTaken\":0.313,\"WAFE
valuationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"cb92601425894dc5b68e0597eab9e1f
f\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.308\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42?retURL=%252Fsystem%252FUser
%252FList.xhtml\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-A994-
4699E3B64A42\",\"requestQuery\":\"retURL=%252Fsystem%252FUser
%252FList.xhtml\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":2187,\"sentBytes\":26179,\"connectionSerialNumber\":535665,
\"noOfConnectionRequests\":5,\"clientResponseTime\":0,\"timeTaken\":0.931,\"WAFEval
uationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"641b88502a66b3317439844ca62245a
3\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.932\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50252,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-
A994-4699E3B64A42\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/121.0.0.0 Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-urlencoded;
charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2614,\"sentBytes\":749,\"connectionSerialNumber\":535665,\"
noOfConnectionRequests\":6,\"clientResponseTime\":0,\"timeTaken\":0.421,\"WAFEvalua
tionTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"772a683e801e0951ec3802e4e217509
6\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.420\",\"up
streamSourcePort\":\"36326\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}},
{ \"timeStamp\": \"2024-02-25T03:40:17+00:00\", \"time\": \"2024-02-
25T03:40:17+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener14_HTTPS_JServiceCRM\", \"ruleName
\": \"APG02_RoutingRule14_JServiceCRM\", \"backendPoolName\": \"APG02_BackendPool14
_JServiceCRM\", \"backendSettingName\": \"APG02_HTTP14_JServiceCRM-
8080\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applicatio
nGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_5\",\"clientIP\":\"52.253.107.28\",\"clientPort\":50254,\"h
ttpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/scrm\\/User\\/605171B8-
80AB-493A-A994-4699E3B64A42\",\"requestUri\":\"\\/scrm\\/User\\/605171B8-80AB-493A-
A994-4699E3B64A42\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36 Edg\\/121.0.0.0\",\"contentType\":\"application\\/x-www-form-
urlencoded; charset=UTF-
8\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP
\\/
1.1\",\"receivedBytes\":2596,\"sentBytes\":2874,\"connectionSerialNumber\":535667,\
"noOfConnectionRequests\":4,\"clientResponseTime\":0,\"timeTaken\":0.483,\"WAFEvalu
ationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy14_JServiceCRM\",\"transactionId\":\"5a9c49afe0a5a12e008e8985b557318
0\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.7.4.136:8080\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.480\",\"up
streamSourcePort\":\"21898\",\"originalHost\":\"j-service-
crm.yokogawa.co.jp\",\"host\":\"ymzn-bww21az010.amzn.ykgw.net\"}}]}"}}}
[2024-02-25T03:40:42,770][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:10+00:00", "timeStamp"=>"2024-02-
25T03:40:10+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50254, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.682e0,
"transactionId"=>"df37dc9863479d956a2a64d67dbd6a67", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/List", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>21992, "requestUri"=>"/scrm/User/List",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535667, "contentType"=>"", "originalHost"=>"j-service-
crm.yokogawa.co.jp", "sslEnabled"=>"on", "receivedBytes"=>1956,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36314", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>"0.680"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:42,770][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:10+00:00", "timeStamp"=>"2024-02-
25T03:40:10+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50254, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.267e0,
"transactionId"=>"67016ead085af180af28fa1eb260e6a9", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/List", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>754, "requestUri"=>"/scrm/User/List",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535667, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2556, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.1e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36314", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>3,
"serverResponseLatency"=>"0.260"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:42,770][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:10+00:00", "timeStamp"=>"2024-02-
25T03:40:10+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.265e0,
"transactionId"=>"90f20cfbfbfbb2f5c23d9e7fdcb86fd1", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/List", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>1170, "requestUri"=>"/scrm/User/List",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2449, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36326", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>3,
"serverResponseLatency"=>"0.264"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:42,778][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:12+00:00", "timeStamp"=>"2024-02-
25T03:40:12+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.313e0,
"transactionId"=>"cb92601425894dc5b68e0597eab9e1ff", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/List", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>4478, "requestUri"=>"/scrm/User/List",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>5766, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.26e-1,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36326", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>4,
"serverResponseLatency"=>"0.308"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:42,778][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:17+00:00", "timeStamp"=>"2024-02-
25T03:40:17+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.931e0,
"transactionId"=>"641b88502a66b3317439844ca62245a3", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/605171B8-80AB-493A-A994-4699E3B64A42?
retURL=%252Fsystem%252FUser%252FList.xhtml", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"52.253.107.28", "httpStatus"=>200,
"sentBytes"=>26179, "requestUri"=>"/scrm/User/605171B8-80AB-493A-A994-
4699E3B64A42", "WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-
3f0510c83ca3/resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"", "originalHost"=>"j-service-
crm.yokogawa.co.jp", "sslEnabled"=>"on", "receivedBytes"=>2187,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5",
"requestQuery"=>"retURL=%252Fsystem%252FUser%252FList.xhtml",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36326", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>5,
"serverResponseLatency"=>"0.932"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:42,779][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:17+00:00", "timeStamp"=>"2024-02-
25T03:40:17+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50252, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.421e0,
"transactionId"=>"772a683e801e0951ec3802e4e2175096", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/605171B8-80AB-493A-A994-4699E3B64A42",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>749, "requestUri"=>"/scrm/User/605171B8-80AB-493A-
A994-4699E3B64A42", "WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-
3f0510c83ca3/resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535665, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2614, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"36326", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>6,
"serverResponseLatency"=>"0.420"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:42,779][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:17+00:00", "timeStamp"=>"2024-02-
25T03:40:17+00:00", "backendPoolName"=>"APG02_BackendPool14_JServiceCRM",
"listenerName"=>"APG02_Listener14_HTTPS_JServiceCRM", "properties"=>{"host"=>"ymzn-
bww21az010.amzn.ykgw.net", "clientPort"=>50254, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.7.4.136:8080", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.483e0,
"transactionId"=>"5a9c49afe0a5a12e008e8985b5573180", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/scrm/User/605171B8-80AB-493A-A994-4699E3B64A42",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"200", "clientIP"=>"52.253.107.28",
"httpStatus"=>200, "sentBytes"=>2874, "requestUri"=>"/scrm/User/605171B8-80AB-493A-
A994-4699E3B64A42", "WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-
3f0510c83ca3/resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy14_JServiceCRM",
"connectionSerialNumber"=>535667, "contentType"=>"application/x-www-form-
urlencoded; charset=UTF-8", "originalHost"=>"j-service-crm.yokogawa.co.jp",
"sslEnabled"=>"on", "receivedBytes"=>2596, "httpMethod"=>"POST",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_5", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"21898", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>4,
"serverResponseLatency"=>"0.480"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP14_JServiceCRM-8080",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule14_JServiceCRM"}, :field=>"records"}
[2024-02-25T03:40:42,799][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>7, :payload_size=>220771, :content_length=>10596, :batch_offset=>0}
[2024-02-25T03:40:42,876][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:40:42,879][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313483272//1261846
[2024-02-25T03:40:42,880][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313483272//1261846
[2024-02-25T03:40:42,880][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 10232 bytes.
[2024-02-25T03:40:42,931][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:40:42.879215387Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:10+00:00\", \"time\": \"2024-02-25T03:40:10+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.203\",\"clientPort\":41645,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=18806&rev=1&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=18806&rev=1&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":344,\"sentBytes\":6120,\"connectionSerialNumber\":509655,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"13a5d380443f25b908d54caaa7531875\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:11+00:00\", \"time\": \"2024-02-25T03:40:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15408\",\"requestUri\":\"\\/00\\/
S5YA15408\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":18,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"f71508fb4496
7aebca75f397f90cad3e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:40:12+00:00\", \"time\": \"2024-02-
25T03:40:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.203\",\"clientPort\":41645,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":7688,\"connectionSerialNumber\":509655,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0.004,\"timeTaken\":0.054,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"884af3219ecdea49059a2698be8e846b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:12+00:00\", \"time\": \"2024-02-25T03:40:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.211\",\"clientPort\":13700,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509658,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5f653acd0c0be4
5ae16c8fe4ca1d617f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:18+00:00\", \"time\": \"2024-02-
25T03:40:18+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.132\",\"clientPort\":54985,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":514,\"connectionSerialNumber\":509661,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"fb797174e287b8
cfebeaadb2da7d69fc\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:19+00:00\", \"time\": \"2024-02-
25T03:40:19+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\":
\"APG01_BackendPool12_RepJP\", \"backendSettingName\": \"APG01_HTTP12_RepJP\", \"o
perationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGatewayAcc
essLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":17284,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=57283&no=0&rev\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=57283&no=0&rev\",\"userAgent\":\"Mozi
lla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":355,\"sentBytes\":6137,\"connectionSerialNumber\":509660,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"085c9bac0467ee1daeb3a2aed5508f3a\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.203\",\"clientPort\":41645,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=18806&rev=1&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=18806&rev=1&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":344,\"sentBytes\":6120,\"connectionSerialNumber\":509655,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"13a5d380443f25b908d54caaa7531875\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:11+00:00\", \"time\": \"2024-02-25T03:40:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15408\",\"requestUri\":\"\\/00\\/
S5YA15408\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":18,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"f71508fb4496
7aebca75f397f90cad3e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:40:12+00:00\", \"time\": \"2024-02-
25T03:40:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.203\",\"clientPort\":41645,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":7688,\"connectionSerialNumber\":509655,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0.004,\"timeTaken\":0.054,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"884af3219ecdea49059a2698be8e846b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:12+00:00\", \"time\": \"2024-02-25T03:40:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.211\",\"clientPort\":13700,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509658,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5f653acd0c0be4
5ae16c8fe4ca1d617f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:18+00:00\", \"time\": \"2024-02-
25T03:40:18+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.132\",\"clientPort\":54985,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=59080&n
amber=5789364&space=0&rev=0&page=0&no=0\",\"userAgent\":\"Mozilla\\/5.0
AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":514,\"connectionSerialNumber\":509661,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"fb797174e287b8
cfebeaadb2da7d69fc\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:19+00:00\", \"time\": \"2024-02-
25T03:40:19+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":17284,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=57283&no=0&rev\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=57283&no=0&rev\",\"userAgent\":\"Mozi
lla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":355,\"sentBytes\":6137,\"connectionSerialNumber\":509660,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"085c9bac0467ee1daeb3a2aed5508f3a\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:40:42,933][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:40:10+00:00", "timeStamp"=>"2024-02-25T03:40:10+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>41645,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"13a5d380443f25b908d54caaa7531875", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=18806&rev=1&no=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"52.167.144.203", "httpStatus"=>200,
"sentBytes"=>6120, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509655, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>344,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=18806&rev=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"18210", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.060"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:40:11+00:00",
"timeStamp"=>"2024-02-25T03:40:11+00:00",
"listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"f71508fb44967aebca75f397f90cad3e",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15408",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15408",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1005,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>18,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, {"time"=>"2024-02-
25T03:40:12+00:00", "timeStamp"=>"2024-02-25T03:40:12+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>41645,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.54e-1,
"transactionId"=>"884af3219ecdea49059a2698be8e846b", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.167.144.203",
"httpStatus"=>200, "sentBytes"=>7688,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509655, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>370,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.4e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"18210", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>"0.052"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:40:12+00:00",
"timeStamp"=>"2024-02-25T03:40:12+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>13700, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"5f653acd0c0be45ae16c8fe4ca1d617f",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"85.208.96.211",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509658, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:40:18+00:00", "timeStamp"=>"2024-02-25T03:40:18+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>54985, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"fb797174e287b8cfebeaadb2da7d69fc",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"40.77.167.132",
"httpStatus"=>301, "sentBytes"=>514,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509661, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>370,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:40:19+00:00", "timeStamp"=>"2024-02-25T03:40:19+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>17284,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"085c9bac0467ee1daeb3a2aed5508f3a", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=57283&no=0&rev", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"185.191.171.5", "httpStatus"=>200,
"sentBytes"=>6137, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509660, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com",
"sslEnabled"=>"on", "receivedBytes"=>355, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=57283&no=0&rev",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"18210",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.056"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:40:42.879215387Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:10+00:00\", \"time\": \"2024-02-25T03:40:10+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.203\",\"clientPort\":41645,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=18806&rev=1&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=18806&rev=1&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":344,\"sentBytes\":6120,\"connectionSerialNumber\":509655,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"13a5d380443f25b908d54caaa7531875\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:11+00:00\", \"time\": \"2024-02-25T03:40:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15408\",\"requestUri\":\"\\/00\\/
S5YA15408\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":18,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"f71508fb4496
7aebca75f397f90cad3e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:40:12+00:00\", \"time\": \"2024-02-
25T03:40:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.203\",\"clientPort\":41645,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":7688,\"connectionSerialNumber\":509655,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0.004,\"timeTaken\":0.054,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"884af3219ecdea49059a2698be8e846b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:12+00:00\", \"time\": \"2024-02-25T03:40:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.211\",\"clientPort\":13700,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509658,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5f653acd0c0be4
5ae16c8fe4ca1d617f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:18+00:00\", \"time\": \"2024-02-
25T03:40:18+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.132\",\"clientPort\":54985,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":514,\"connectionSerialNumber\":509661,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"fb797174e287b8
cfebeaadb2da7d69fc\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\"
,\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstr
eamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}},
{ \"timeStamp\": \"2024-02-25T03:40:19+00:00\", \"time\": \"2024-02-
25T03:40:19+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":17284,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=57283&no=0&rev\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=57283&no=0&rev\",\"userAgent\":\"Mozi
lla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":355,\"sentBytes\":6137,\"connectionSerialNumber\":509660,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"085c9bac0467ee1daeb3a2aed5508f3a\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:40:10+00:00\", \"time\": \"2024-02-
25T03:40:10+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.203\",\"clientPort\":41645,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=18806&rev=1&no=0\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=18806&rev=1&no=0\",\"userAgent\":\"Mo
zilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko; compatible; bingbot\\/2.0;
+http:\\/\\/www.bing.com\\/bingbot.htm) Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":344,\"sentBytes\":6120,\"connectionSerialNumber\":509655,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"13a5d380443f25b908d54caaa7531875\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:11+00:00\", \"time\": \"2024-02-25T03:40:11+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener15_HTTPS_AutoID-
Redirect\", \"ruleName\": \"APG01_RoutingRule15_AutoID-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"13.73.28.76\",\"clientPort\":35780,\"htt
pMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/00\\/
S5YA15408\",\"requestUri\":\"\\/00\\/
S5YA15408\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/121.0.0.0
Safari\\/537.36
Edg\\/121.0.0.0\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":307,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1005,\"sentBytes\":463,\"connectionSerialNumber\":509422,\"
noOfConnectionRequests\":18,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluatio
nTime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"f71508fb4496
7aebca75f397f90cad3e\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"autoid.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:40:12+00:00\", \"time\": \"2024-02-
25T03:40:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"52.167.144.203\",\"clientPort\":41645,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":7688,\"connectionSerialNumber\":509655,\"
noOfConnectionRequests\":2,\"clientResponseTime\":0.004,\"timeTaken\":0.054,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"884af3219ecdea49059a2698be8e846b\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.052\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:12+00:00\", \"time\": \"2024-02-25T03:40:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"85.208.96.211\",\"clientPort\":13700,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509658,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5f653acd0c0be4
5ae16c8fe4ca1d617f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:18+00:00\", \"time\": \"2024-02-
25T03:40:18+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-AZURE_APG01_V2\",
\"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"40.77.167.132\",\"clientPort\":54985,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0&no=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0
&no=0\",\"userAgent\":\"Mozilla\\/5.0 AppleWebKit\\/537.36 (KHTML, like Gecko;
compatible; bingbot\\/2.0; +http:\\/\\/www.bing.com\\/bingbot.htm)
Chrome\\/116.0.1938.76
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":370,\"sentBytes\":514,\"connectionSerialNumber\":509661,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"fb797174e287b8
cfebeaadb2da7d69fc\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:19+00:00\", \"time\": \"2024-02-
25T03:40:19+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":17284,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=57283&no=0&rev\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=57283&no=0&rev\",\"userAgent\":\"Mozi
lla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":355,\"sentBytes\":6137,\"connectionSerialNumber\":509660,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.06,\"WAFEva
luationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"085c9bac0467ee1daeb3a2aed5508f3a\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.056\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:40:42,941][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:10+00:00", "timeStamp"=>"2024-02-
25T03:40:10+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>41645,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"13a5d380443f25b908d54caaa7531875", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=18806&rev=1&no=0", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"52.167.144.203", "httpStatus"=>200,
"sentBytes"=>6120, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509655, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>344,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=18806&rev=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"18210", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.060"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:40:42,942][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:11+00:00", "timeStamp"=>"2024-02-
25T03:40:11+00:00", "listenerName"=>"APG01_Listener15_HTTPS_AutoID-Redirect",
"properties"=>{"host"=>"", "clientPort"=>35780, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"",
"timeTaken"=>0, "transactionId"=>"f71508fb44967aebca75f397f90cad3e",
"sslClientVerify"=>"NONE", "originalRequestUriWithArgs"=>"/00/S5YA15408",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"13.73.28.76",
"httpStatus"=>307, "sentBytes"=>463, "requestUri"=>"/00/S5YA15408",
"WAFPolicyID"=>"", "connectionSerialNumber"=>509422, "contentType"=>"",
"originalHost"=>"autoid.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1005,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>18,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule15_AutoID-Redirect"}, :field=>"records"}
[2024-02-25T03:40:42,943][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:12+00:00", "timeStamp"=>"2024-02-
25T03:40:12+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>41645,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.54e-1,
"transactionId"=>"884af3219ecdea49059a2698be8e846b", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"52.167.144.203",
"httpStatus"=>200, "sentBytes"=>7688,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509655, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>370,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=25142&namber=5789364&space=0&rev=0&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.4e-2,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"18210", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>"0.052"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:40:42,943][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:12+00:00", "timeStamp"=>"2024-02-
25T03:40:12+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>13700, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"5f653acd0c0be45ae16c8fe4ca1d617f", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"85.208.96.211",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509658, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=25048&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:40:42,943][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:18+00:00", "timeStamp"=>"2024-02-
25T03:40:18+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>54985, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"fb797174e287b8cfebeaadb2da7d69fc", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"40.77.167.132",
"httpStatus"=>301, "sentBytes"=>514,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509661, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>370,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=59080&namber=5789364&space=0&rev=0&page=0&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:40:42,943][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:19+00:00", "timeStamp"=>"2024-02-
25T03:40:19+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>17284,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.6e-1,
"transactionId"=>"085c9bac0467ee1daeb3a2aed5508f3a", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=57283&no=0&rev", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"185.191.171.5", "httpStatus"=>200,
"sentBytes"=>6137, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509660, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>355,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=57283&no=0&rev",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"18210",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.056"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:40:42,964][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>6, :payload_size=>148106, :content_length=>10579, :batch_offset=>0}
[2024-02-25T03:40:43,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:43,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:43,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25256
[2024-02-25T03:40:43,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20073
[2024-02-25T03:40:43,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25256
[2024-02-25T03:40:43,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25188
[2024-02-25T03:40:43,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20073
[2024-02-25T03:40:43,417][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25207
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25187
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25206
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:40:43,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:43,490][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:40:43,490][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:40:43,491][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:40:45,443][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - schedule operation timer, current:
[2024-02-25T03:40:45.443486313Z], remaining: [60] secs
[2024-02-25T03:40:45,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:45,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:45,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:46,709][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.031140573S`)
[2024-02-25T03:40:46,710][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.031134773S`)
[2024-02-25T03:40:46,710][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=258483485} forced-compaction result
(captures: `32` span: `PT5M5.189106068S`)
[2024-02-25T03:40:46,710][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.031186073S`)
[2024-02-25T03:40:46,710][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=814893463} forced-compaction result
(captures: `32` span: `PT5M5.189182169S`)
[2024-02-25T03:40:46,710][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.031217775S`)
[2024-02-25T03:40:46,710][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=106158887} forced-compaction result
(captures: `32` span: `PT5M5.18919307S`)
[2024-02-25T03:40:46,710][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.031268575S`)
[2024-02-25T03:40:46,710][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1371747750} forced-compaction result
(captures: `32` span: `PT5M5.18922167S`)
[2024-02-25T03:40:47,161][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:47,161][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:47,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20255
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20255
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25073
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25073
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20187
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20187
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20206
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20206
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:48,418][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:40:48,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:48,605][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:40:48,605][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:40:48,605][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:40:48,624][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:40:48,624][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:40:48,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:40:48,674][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:40:48,674][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:40:48,674][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:40:48,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:48,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:48,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:50,609][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:40:50,614][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313493576//1261847
[2024-02-25T03:40:50,615][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313493576//1261847
[2024-02-25T03:40:50,615][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 4910 bytes.
[2024-02-25T03:40:50,665][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:40:50.610848907Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:21+00:00\", \"time\": \"2024-02-25T03:40:21+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.7\",\"clientPort\":10388,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":6499,\"connectionSerialNumber\":510114,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.061,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4c360a8866170d341000636560318fc3\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"49918\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:23+00:00\", \"time\": \"2024-02-25T03:40:23+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.197\",\"clientPort\":7212,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21940&mode=res&namber=148995&no=0&page=10&space=15\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21940&mode=res&namber=148995&no=0&page=10&space=15
\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":378,\"sentBytes\":504,\"connectionSerialNumber\":510116,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"31d0f5cc73021d
5e3bbe6f33bcfb1481\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:26+00:00\", \"time\": \"2024-02-
25T03:40:26+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.15\",\"clientPort\":40682,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":510,\"connectionSerialNumber\":510117,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5df8cbd8e72f65
a3e0feec39abb3286f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:40:21+00:00\", \"time\": \"2024-02-
25T03:40:21+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.7\",\"clientPort\":10388,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":6499,\"connectionSerialNumber\":510114,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.061,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4c360a8866170d341000636560318fc3\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"49918\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:23+00:00\", \"time\": \"2024-02-25T03:40:23+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.197\",\"clientPort\":7212,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21940&mode=res&namber=148995&no=0&page=10&space=15\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21940&mode=res&namber=148995&no=0&page=10&space=15
\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":378,\"sentBytes\":504,\"connectionSerialNumber\":510116,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"31d0f5cc73021d
5e3bbe6f33bcfb1481\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:26+00:00\", \"time\": \"2024-02-
25T03:40:26+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\":
\"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.15\",\"clientPort\":40682,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":510,\"connectionSerialNumber\":510117,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5df8cbd8e72f65
a3e0feec39abb3286f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:40:50,666][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:40:21+00:00", "timeStamp"=>"2024-02-25T03:40:21+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>10388,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.61e-1,
"transactionId"=>"4c360a8866170d341000636560318fc3", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&rev=0&space=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"185.191.171.7",
"httpStatus"=>200, "sentBytes"=>6499,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510114, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"49918",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:40:23+00:00",
"timeStamp"=>"2024-02-25T03:40:23+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>7212, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"31d0f5cc73021d5e3bbe6f33bcfb1481",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=21940&mode=res&namber=148995&no=0&page=10&space=15", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"85.208.96.197", "httpStatus"=>301,
"sentBytes"=>504, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"", "connectionSerialNumber"=>510116, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>378,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=21940&mode=res&namber=148995&no=0&page=10&space=15",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:40:26+00:00", "timeStamp"=>"2024-02-25T03:40:26+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>40682, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"5df8cbd8e72f65a3e0feec39abb3286f",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.15",
"httpStatus"=>301, "sentBytes"=>510,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>510117, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>384,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:40:50.610848907Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:21+00:00\", \"time\": \"2024-02-25T03:40:21+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.7\",\"clientPort\":10388,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":6499,\"connectionSerialNumber\":510114,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.061,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4c360a8866170d341000636560318fc3\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"49918\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:23+00:00\", \"time\": \"2024-02-25T03:40:23+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.197\",\"clientPort\":7212,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21940&mode=res&namber=148995&no=0&page=10&space=15\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21940&mode=res&namber=148995&no=0&page=10&space=15
\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":378,\"sentBytes\":504,\"connectionSerialNumber\":510116,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"31d0f5cc73021d
5e3bbe6f33bcfb1481\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:26+00:00\", \"time\": \"2024-02-
25T03:40:26+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.15\",\"clientPort\":40682,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0
(compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":510,\"connectionSerialNumber\":510117,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5df8cbd8e72f65
a3e0feec39abb3286f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:40:21+00:00\", \"time\": \"2024-02-
25T03:40:21+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.7\",\"clientPort\":10388,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":6499,\"connectionSerialNumber\":510114,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.061,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4c360a8866170d341000636560318fc3\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"49918\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:23+00:00\", \"time\": \"2024-02-25T03:40:23+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"85.208.96.197\",\"clientPort\":7212,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=21940&mode=res&namber=148995&no=0&page=10&space=15\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=21940&mode=res&namber=148995&no=0&page=10&space=15
\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":378,\"sentBytes\":504,\"connectionSerialNumber\":510116,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"31d0f5cc73021d
5e3bbe6f33bcfb1481\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:26+00:00\", \"time\": \"2024-02-
25T03:40:26+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"185.191.171.15\",\"clientPort\":40682,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&s
pace=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":384,\"sentBytes\":510,\"connectionSerialNumber\":510117,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5df8cbd8e72f65
a3e0feec39abb3286f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:40:50,676][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:21+00:00", "timeStamp"=>"2024-02-
25T03:40:21+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>10388,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.61e-1,
"transactionId"=>"4c360a8866170d341000636560318fc3", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&rev=0&space=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"185.191.171.7",
"httpStatus"=>200, "sentBytes"=>6499,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510114, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"In=1&mo=16996&mode=al2&namber=5789364&no=0&page=20&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"49918",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:40:50,676][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:23+00:00", "timeStamp"=>"2024-02-
25T03:40:23+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>7212, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"31d0f5cc73021d5e3bbe6f33bcfb1481", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=21940&mode=res&namber=148995&no=0&page=10&space=15", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"85.208.96.197", "httpStatus"=>301,
"sentBytes"=>504, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"", "connectionSerialNumber"=>510116, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>378,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=21940&mode=res&namber=148995&no=0&page=10&space=15",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:40:50,676][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:26+00:00", "timeStamp"=>"2024-02-
25T03:40:26+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>40682, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"5df8cbd8e72f65a3e0feec39abb3286f", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.15",
"httpStatus"=>301, "sentBytes"=>510,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>510117, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>384,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=38770&mode=al2&namber=5617059&no=0&page=80&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:40:50,687][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>38581, :content_length=>3649, :batch_offset=>0}
[2024-02-25T03:40:50,909][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:40:50.909905894Z], remaining: [59] secs
[2024-02-25T03:40:50,910][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:40:50.910131699Z], remaining: [59] secs
[2024-02-25T03:40:51,712][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=788218642} forced-compaction result
(captures: `32` span: `PT5M5.188835917S`)
[2024-02-25T03:40:51,712][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.031674502S`)
[2024-02-25T03:40:51,712][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.031543399S`)
[2024-02-25T03:40:51,712][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.031542499S`)
[2024-02-25T03:40:51,712][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.031517199S`)
[2024-02-25T03:40:51,712][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.031524298S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.031537098S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=527817925} forced-compaction result
(captures: `32` span: `PT5M5.188632113S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.031561499S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1448823314} forced-compaction result
(captures: `32` span: `PT5M5.188674413S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.031576399S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=460460603} forced-compaction result
(captures: `32` span: `PT5M5.188700514S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.0315779S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1868898708} forced-compaction result
(captures: `32` span: `PT5M5.188728815S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.0315896S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1590123337} forced-compaction result
(captures: `32` span: `PT5M5.188755516S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.031592699S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1388351833} forced-compaction result
(captures: `32` span: `PT5M5.188782916S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.0315922S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1504223984} forced-compaction result
(captures: `32` span: `PT5M5.188807917S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.0316239S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=520569296} forced-compaction result
(captures: `32` span: `PT5M5.188856118S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.031618101S`)
[2024-02-25T03:40:51,713][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=2080267370} forced-compaction result
(captures: `32` span: `PT5M5.188884019S`)
[2024-02-25T03:40:51,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:51,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:51,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:52,165][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:52,169][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:52,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:53,138][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - Reschedule operation timer,
current: [2024-02-25T03:40:53.138053129Z], remaining: [19] secs
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25255
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25255
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20072
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20072
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25186
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25205
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25186
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25205
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:53,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:53,491][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:40:53,491][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:40:53,491][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:40:53,746][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:40:53,747][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313498552//1261848
[2024-02-25T03:40:53,747][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313498552//1261848
[2024-02-25T03:40:53,747][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 1530 bytes.
[2024-02-25T03:40:53,798][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:40:53.746918837Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:28+00:00\", \"time\": \"2024-02-25T03:40:28+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":26044,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509664,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"aed1367c822142
906b4164c20d637263\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:40:28+00:00\", \"time\": \"2024-02-
25T03:40:28+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":26044,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509664,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"aed1367c822142
906b4164c20d637263\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:40:53,799][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:40:28+00:00", "timeStamp"=>"2024-02-25T03:40:28+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>26044, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"aed1367c822142906b4164c20d637263",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.5",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509664, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:40:53.746918837Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:28+00:00\", \"time\": \"2024-02-25T03:40:28+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":26044,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509664,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"aed1367c822142
906b4164c20d637263\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:40:28+00:00\", \"time\": \"2024-02-
25T03:40:28+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.5\",\"clientPort\":26044,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&rev=0&space=0\",\"requestUri\":\
"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&re
v=0&space=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":389,\"sentBytes\":515,\"connectionSerialNumber\":509664,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"aed1367c822142
906b4164c20d637263\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:40:53,799][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:28+00:00", "timeStamp"=>"2024-02-
25T03:40:28+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>26044, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"aed1367c822142906b4164c20d637263", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.5",
"httpStatus"=>301, "sentBytes"=>515,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509664, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>389,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"In=1&mo=18979&mode=al2&namber=5789364&no=0&page=60&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:40:53,810][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>5260, :content_length=>1523, :batch_offset=>0}
[2024-02-25T03:40:54,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:54,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:54,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.005229239S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.005228039S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.005176439S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1654328116} forced-compaction result
(captures: `32` span: `PT5M5.188385383S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=458771051} forced-compaction result
(captures: `32` span: `PT5M5.187852771S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1783169091} forced-compaction result
(captures: `32` span: `PT5M5.18778327S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1822563343} forced-compaction result
(captures: `32` span: `PT5M5.187765469S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1457154052} forced-compaction result
(captures: `32` span: `PT5M5.187726569S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.031903224S`)
[2024-02-25T03:40:56,715][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.031857123S`)
[2024-02-25T03:40:57,174][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:40:57,181][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:40:57,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:40:57,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:40:57,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:40:57,732][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:40:58,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:40:58,419][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20254
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25071
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20254
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25071
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20185
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20204
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20185
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20204
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:40:58,420][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:40:58,605][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:40:58,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:40:58,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:40:58,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:40:58,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:40:58,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:40:58,674][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:40:58,674][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:40:58,674][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:41:00,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:00,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:00,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:01,718][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.00568355S`)
[2024-02-25T03:41:01,718][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.005872054S`)
[2024-02-25T03:41:01,718][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.005804552S`)
[2024-02-25T03:41:01,718][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.005790552S`)
[2024-02-25T03:41:01,718][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.005793352S`)
[2024-02-25T03:41:01,718][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.005845453S`)
[2024-02-25T03:41:01,718][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.005914355S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1672453985} forced-compaction result
(captures: `32` span: `PT5M5.186927626S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_5_minutes id=1936234221} forced-compaction result
(captures: `32` span: `PT5M5.186843125S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.006029257S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.005998457S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.005977156S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.005960056S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.005942455S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.005925855S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.005910055S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.005872154S`)
[2024-02-25T03:41:01,719][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.005853053S`)
[2024-02-25T03:41:02,186][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:02,186][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:03,421][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:03,421][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25253
[2024-02-25T03:41:03,421][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20070
[2024-02-25T03:41:03,421][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25185
[2024-02-25T03:41:03,421][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25204
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25252
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20069
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25184
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25203
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:41:03,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:03,491][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:41:03,491][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:41:03,491][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:41:03,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:03,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:03,729][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:06,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:06,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:06,721][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.005908769S`)
[2024-02-25T03:41:06,721][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.005990071S`)
[2024-02-25T03:41:06,722][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:07,192][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:07,192][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:07,964][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is processing a batch of
size 1.
[2024-02-25T03:41:07,966][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Saving checkpoint: 6725945913136//1542269
[2024-02-25T03:41:07,966][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: updateCheckpoint() 6725945913136//1542269
[2024-02-25T03:41:07,967][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 finished processing a batch
of 5554 bytes.
[2024-02-25T03:41:08,017][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:41:07.966214441Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62321,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":36493,\"sentBytes\":246603,\"connectionSerialNumber\":53549
9,\"noOfConnectionRequests\":7,\"clientResponseTime\":0.006,\"timeTaken\":0.594,\"W
AFEvaluationTime\":\"0.024\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"93c677a2ed6773e9e202d48d1ede9ec1\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.564\",\"upstr
eamSourcePort\":\"31880\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62337,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1177,\"sentBytes\":231544,\"connectionSerialNumber\":535551
,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.044,\"WA
FEvaluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"47c8e5fde382c6887f15398e14ff0d28\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"31880\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool00_DUMMY\", \"backendSettingName\": \"APG
02_HTTP00_DUMMY\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \
"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62337,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/
favicon.ico\",\"requestUri\":\"\\/
favicon.ico\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/115.0.0.0
Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":502,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":948,\"sentBytes\":768,\"connectionSerialNumber\":535551,\"n
oOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"463dc7e02f42e0
2aa4337dedbd043d93\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"yazure-ag.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62321,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":36493,\"sentBytes\":246603,\"connectionSerialNumber\":53549
9,\"noOfConnectionRequests\":7,\"clientResponseTime\":0.006,\"timeTaken\":0.594,\"W
AFEvaluationTime\":\"0.024\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"93c677a2ed6773e9e202d48d1ede9ec1\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.564\",\"upstr
eamSourcePort\":\"31880\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62337,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1177,\"sentBytes\":231544,\"connectionSerialNumber\":535551
,\"noOfConnectionRequests\":1,\"clientResponse
Time\":0.006,\"timeTaken\":0.044,\"WAFEvaluationTime\":\"0.000\",\"WAFMode\":\"Prev
ention\",\"WAFPolicyID\":\"\\/subscriptions\\/2bd75eb1-d088-445b-a7e3-
3f0510c83ca3\\/resourceGroups\\/RG_YAzureDMZ_APG02\\/providers\\/
Microsoft.Network\\/ApplicationGatewayWebApplicationFirewallPolicies\\/
APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"47c8e5fde382c6887f15398e14ff0d28\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"31880\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool00_DUMMY\", \"backendSettingName\": \"APG
02_HTTP00_DUMMY\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \
"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62337,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/
favicon.ico\",\"requestUri\":\"\\/
favicon.ico\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/115.0.0.0
Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":502,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":948,\"sentBytes\":768,\"connectionSerialNumber\":535551,\"n
oOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"463dc7e02f42e0
2aa4337dedbd043d93\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"yazure-ag.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:41:08,019][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:40:31+00:00", "timeStamp"=>"2024-02-25T03:40:31+00:00",
"backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62321, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.594e0,
"transactionId"=>"93c677a2ed6773e9e202d48d1ede9ec1", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.024",
"serverStatus"=>"302", "clientIP"=>"219.106.244.24", "httpStatus"=>302,
"sentBytes"=>246603, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535499, "contentType"=>"application/x-www-form-
urlencoded", "originalHost"=>"yazure-ag.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>36493, "httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg
%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.6e-2, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Edg/115.0.1901.188", "upstreamSourcePort"=>"31880",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>7, "serverResponseLatency"=>"0.564"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog", "ruleName"=>"APG02_RoutingRule01"},
{"time"=>"2024-02-25T03:40:31+00:00", "timeStamp"=>"2024-02-25T03:40:31+00:00",
"backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62337, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.44e-1,
"transactionId"=>"47c8e5fde382c6887f15398e14ff0d28", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>231544, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535551, "contentType"=>"", "originalHost"=>"yazure-
ag.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1177, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"31880", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.040"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog", "ruleName"=>"APG02_RoutingRule01"},
{"time"=>"2024-02-25T03:40:31+00:00", "timeStamp"=>"2024-02-25T03:40:31+00:00",
"backendPoolName"=>"APG02_BackendPool00_DUMMY",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"",
"clientPort"=>62337, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"463dc7e02f42e02aa4337dedbd043d93", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/favicon.ico", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"219.106.244.24", "httpStatus"=>502,
"sentBytes"=>768, "requestUri"=>"/favicon.ico", "WAFPolicyID"=>"",
"connectionSerialNumber"=>535551, "contentType"=>"", "originalHost"=>"yazure-
ag.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>948, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP00_DUMMY",
"category"=>"ApplicationGatewayAccessLog", "ruleName"=>"APG02_RoutingRule01"}],
"@timestamp"=>2024-02-25T03:41:07.966214441Z, "message"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:40:31+00:00\", \"time\": \"2024-02-
25T03:40:31+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG02\", \"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_
RoutingRule01\", \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62321,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":36493,\"sentBytes\":246603,\"connectionSerialNumber\":53549
9,\"noOfConnectionRequests\":7,\"clientResponseTime\":0.006,\"timeTaken\":0.594,\"W
AFEvaluationTime\":\"0.024\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"93c677a2ed6773e9e202d48d1ede9ec1\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.564\",\"upstr
eamSourcePort\":\"31880\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62337,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1177,\"sentBytes\":231544,\"connectionSerialNumber\":535551
,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.044,\"WA
FEvaluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"47c8e5fde382c6887f15398e14ff0d28\",\"sslEnabled\":\"o
n\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"31880\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool00_DUMMY\", \"backendSettingName\": \"APG
02_HTTP00_DUMMY\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \
"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62337,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/
favicon.ico\",\"requestUri\":\"\\/
favicon.ico\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/115.0.0.0
Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":502,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":948,\"sentBytes\":768,\"connectionSerialNumber\":535551,\"n
oOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"463dc7e02f42e0
2aa4337dedbd043d93\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"yazure-ag.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62321,\"
httpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"application\\/x-www-form-
urlencoded\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":302,\"httpVersion
\":\"HTTP\\/
1.1\",\"receivedBytes\":36493,\"sentBytes\":246603,\"connectionSerialNumber\":53549
9,\"noOfConnectionRequests\":7,\"clientResponseTime\":0.006,\"timeTaken\":0.594,\"W
AFEvaluationTime\":\"0.024\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"93c677a2ed6773e9e202d48d1ede9ec1\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"302\",\"serverResponseLatency\":\"0.564\",\"upstr
eamSourcePort\":\"31880\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool12_ESS-
ESS\", \"backendSettingName\": \"APG02_HTTP12_ESS-
ESS\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Application
GatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62337,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/ESS\\/ESS\\/VESD120.aspx?
qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d
%3d\",\"requestUri\":\"\\/ESS\\/ESS\\/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d\",\"requestQuery\":\"qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d\",\"userAgent\":\"Mozilla\\/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko)
Chrome\\/115.0.0.0 Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":1177,\"sentBytes\":231544,\"connectionSerialNumber\":535551
,\"noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.044,\"WA
FEvaluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG02\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/APG02_WAFPolicy12_ESS-
ESS\",\"transactionId\":\"47c8e5fde382c6887f15398e14ff0d28\",\"sslEnabled\":\"on\",
\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.14.9.7:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.040\",\"upstr
eamSourcePort\":\"31880\",\"originalHost\":\"yazure-
ag.yokogawa.com\",\"host\":\"yazure-ag.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:40:31+00:00\", \"time\": \"2024-02-25T03:40:31+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02\",
\"listenerName\": \"APG02_Listener01_HTTPS\", \"ruleName\": \"APG02_RoutingRule01\"
, \"backendPoolName\": \"APG02_BackendPool00_DUMMY\", \"backendSettingName\": \"APG
02_HTTP00_DUMMY\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \
"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"219.106.244.24\",\"clientPort\":62337,\"
httpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/
favicon.ico\",\"requestUri\":\"\\/
favicon.ico\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/115.0.0.0
Safari\\/537.36
Edg\\/115.0.1901.188\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":502,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":948,\"sentBytes\":768,\"connectionSerialNumber\":535551,\"n
oOfConnectionRequests\":2,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"463dc7e02f42e0
2aa4337dedbd043d93\",\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"yazure-ag.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:41:08,023][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:31+00:00", "timeStamp"=>"2024-02-
25T03:40:31+00:00", "backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62321, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.594e0,
"transactionId"=>"93c677a2ed6773e9e202d48d1ede9ec1", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.024",
"serverStatus"=>"302", "clientIP"=>"219.106.244.24", "httpStatus"=>302,
"sentBytes"=>246603, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzM%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535499, "contentType"=>"application/x-www-form-
urlencoded", "originalHost"=>"yazure-ag.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>36493, "httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg
%3d%3d&SRN=MzM%3d&DM=MA%3d%3d", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.6e-2, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Edg/115.0.1901.188", "upstreamSourcePort"=>"31880",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>7, "serverResponseLatency"=>"0.564"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule01"}, :field=>"records"}
[2024-02-25T03:41:08,023][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:31+00:00", "timeStamp"=>"2024-02-
25T03:40:31+00:00", "backendPoolName"=>"APG02_BackendPool12_ESS-ESS",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"yazure-
ag.yokogawa.com", "clientPort"=>62337, "sslProtocol"=>"TLSv1.2",
"serverRouted"=>"10.14.9.7:80", "sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384",
"WAFMode"=>"Prevention", "timeTaken"=>0.44e-1,
"transactionId"=>"47c8e5fde382c6887f15398e14ff0d28", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE
%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"219.106.244.24", "httpStatus"=>200,
"sentBytes"=>231544, "requestUri"=>"/ESS/ESS/VESD120.aspx?qn=MTUwMDU3NzYzOQ%3d
%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d%3d",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG02/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG02_WAFPolicy12_ESS-ESS",
"connectionSerialNumber"=>535551, "contentType"=>"", "originalHost"=>"yazure-
ag.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>1177, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"qn=MTUwMDU3NzYzOQ%3d%3d&pn=MDE%3d&EM=Mg%3d%3d&SRN=MzQ%3d&DM=MA%3d
%3d", "error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"31880", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>"0.040"}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP12_ESS-ESS",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule01"}, :field=>"records"}
[2024-02-25T03:41:08,024][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:31+00:00", "timeStamp"=>"2024-02-
25T03:40:31+00:00", "backendPoolName"=>"APG02_BackendPool00_DUMMY",
"listenerName"=>"APG02_Listener01_HTTPS", "properties"=>{"host"=>"",
"clientPort"=>62337, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"463dc7e02f42e02aa4337dedbd043d93", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/favicon.ico", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"219.106.244.24", "httpStatus"=>502,
"sentBytes"=>768, "requestUri"=>"/favicon.ico", "WAFPolicyID"=>"",
"connectionSerialNumber"=>535551, "contentType"=>"", "originalHost"=>"yazure-
ag.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>948, "httpMethod"=>"GET",
"sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4", "requestQuery"=>"",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.1", "noOfConnectionRequests"=>2,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG02/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-AZURE_APG02",
"backendSettingName"=>"APG02_HTTP00_DUMMY",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG02_RoutingRule01"}, :field=>"records"}
[2024-02-25T03:41:08,034][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>43312, :content_length=>3624, :batch_offset=>0}
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20252
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25069
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20184
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20203
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20252
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25069
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20184
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20203
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:08,422][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:41:08,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:08,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:41:08,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:41:08,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:41:08,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:41:08,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:41:08,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:41:08,674][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:41:08,674][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:41:08,675][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:41:09,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:09,717][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:09,725][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:12,200][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:12,200][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:12,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:12,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:12,721][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:12,983][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - Reschedule operation timer,
current: [2024-02-25T03:41:12.983501219Z], remaining: [54] secs
[2024-02-25T03:41:12,984][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], linkName[LN_f9801c_1708832068620_e07_G30] - Reschedule operation timer,
current: [2024-02-25T03:41:12.984943750Z], remaining: [54] secs
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25251
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20068
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25251
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20068
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25183
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25202
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:13,423][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25183
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25201
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:41:13,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:13,492][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:41:13,492][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:41:13,492][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:41:14,344][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - Reschedule operation timer,
current: [2024-02-25T03:41:14.344604465Z], remaining: [28] secs
[2024-02-25T03:41:15,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:15,717][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:15,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:16,725][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.030494117S`)
[2024-02-25T03:41:16,725][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.030482717S`)
[2024-02-25T03:41:16,725][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.030501617S`)
[2024-02-25T03:41:16,725][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.030504117S`)
[2024-02-25T03:41:16,725][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.030500217S`)
[2024-02-25T03:41:16,917][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:41:16,919][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313500152//1261849
[2024-02-25T03:41:16,919][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313500152//1261849
[2024-02-25T03:41:16,919][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 5192 bytes.
[2024-02-25T03:41:16,970][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:41:16.918801067Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:43+00:00\", \"time\": \"2024-02-25T03:40:43+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"5.188.210.84\",\"clientPort\":52221,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&space=285\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=285\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/117.0.0.0 Iron
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":496,\"sentBytes\":509,\"connectionSerialNumber\":509685,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5c483eaf056a9d
62f4387fe5b2e6565c\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:45+00:00\", \"time\": \"2024-02-
25T03:40:45+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"5.188.210.84\",\"clientPort\":52372,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/117.0.0.0 Iron
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=8b202e0cb5c93\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1771,\"sentBytes\":757,\"connectionSerialNumber\":509686,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.221,\"timeTaken\":0.224,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d04494f58eadbca49c003e51e3001ce8\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:40:47+00:00\", \"time\": \"2024-02-
25T03:40:47+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.6\",\"clientPort\":2728,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=509440&no=0&rev\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=509440&no=0&rev\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":6141,\"connectionSerialNumber\":509688,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.061,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4d3dba64ecff6896ab0b6471d550c142\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:40:43+00:00\", \"time\": \"2024-02-
25T03:40:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"5.188.210.84\",\"clientPort\":52221,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&space=285\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=285\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/117.0.0.0 Iron
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":496,\"sentBytes\":509,\"connectionSerialNumber\":509685,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5c483eaf056a9d
62f4387fe5b2e6565c\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:45+00:00\", \"time\": \"2024-02-
25T03:40:45+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"5.188.210.84\",\"clientPort\":52372,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/117.0.0.0 Iron
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=8b202e0cb5c93\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1771,\"sentBytes\":757,\"connectionSerialNumber\":509686,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.221,\"timeTaken\":0.224,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d04494f58eadbca49c003e51e3001ce8\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:40:47+00:00\", \"time\": \"2024-02-
25T03:40:47+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-AZURE_APG01_V2\",
\"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\": \"APG01_RoutingR
ule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\", \"backendSetting
Name\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGatewayAccess\", \"
category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.6\",\"clientPort\":2728,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=509440&no=0&rev\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=509440&no=0&rev\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":6141,\"connectionSerialNumber\":509688,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.061,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4d3dba64ecff6896ab0b6471d550c142\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:41:16,971][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:40:43+00:00", "timeStamp"=>"2024-02-25T03:40:43+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>52221, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"5c483eaf056a9d62f4387fe5b2e6565c",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&space=285",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"5.188.210.84",
"httpStatus"=>301, "sentBytes"=>509,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509685, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>496,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&space=285",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/117.0.0.0 Iron Safari/537.36", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.0",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:40:45+00:00", "timeStamp"=>"2024-02-25T03:40:45+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP", "properties"=>{"host"=>"",
"clientPort"=>52372, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention",
"timeTaken"=>0.224e0, "transactionId"=>"d04494f58eadbca49c003e51e3001ce8",
"sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"", "clientIP"=>"5.188.210.84",
"httpStatus"=>403, "sentBytes"=>757,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509686, "contentType"=>"multipart/form-data;
boundary=8b202e0cb5c93", "originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>1771, "httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.221e0, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Iron Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.0", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:40:47+00:00",
"timeStamp"=>"2024-02-25T03:40:47+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>2728,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.61e-1,
"transactionId"=>"4d3dba64ecff6896ab0b6471d550c142", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=509440&no=0&rev", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.6", "httpStatus"=>200,
"sentBytes"=>6141, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509688, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=509440&no=0&rev",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"18210",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:41:16.918801067Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:43+00:00\", \"time\": \"2024-02-25T03:40:43+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"5.188.210.84\",\"clientPort\":52221,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&space=285\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=285\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/117.0.0.0 Iron
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":496,\"sentBytes\":509,\"connectionSerialNumber\":509685,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5c483eaf056a9d
62f4387fe5b2e6565c\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:45+00:00\", \"time\": \"2024-02-
25T03:40:45+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"5.188.210.84\",\"clientPort\":52372,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/117.0.0.0 Iron
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=8b202e0cb5c93\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1771,\"sentBytes\":757,\"connectionSerialNumber\":509686,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.221,\"timeTaken\":0.224,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d04494f58eadbca49c003e51e3001ce8\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:40:47+00:00\", \"time\": \"2024-02-
25T03:40:47+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.6\",\"clientPort\":2728,\"ht
tpMethod\":\"GET\",\"or
iginalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/cbbs.cgi?
mode=al2&namber=509440&no=0&rev\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=509440&no=0&rev\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":6141,\"connectionSerialNumber\":509688,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.061,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4d3dba64ecff6896ab0b6471d550c142\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:40:43+00:00\", \"time\": \"2024-02-
25T03:40:43+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"5.188.210.84\",\"clientPort\":52221,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&space=285\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=285\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/117.0.0.0 Iron
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":496,\"sentBytes\":509,\"connectionSerialNumber\":509685,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5c483eaf056a9d
62f4387fe5b2e6565c\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:40:45+00:00\", \"time\": \"2024-02-
25T03:40:45+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"5.188.210.84\",\"clientPort\":52372,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/117.0.0.0 Iron
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=8b202e0cb5c93\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1771,\"sentBytes\":757,\"connectionSerialNumber\":509686,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.221,\"timeTaken\":0.224,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"d04494f58eadbca49c003e51e3001ce8\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}},{ \"timeStamp\": \"2024-
02-25T03:40:47+00:00\", \"time\": \"2024-02-
25T03:40:47+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.6\",\"clientPort\":2728,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=509440&no=0&rev\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=509440&no=0&rev\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":6141,\"connectionSerialNumber\":509688,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.061,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"4d3dba64ecff6896ab0b6471d550c142\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"18210\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:41:16,972][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:43+00:00", "timeStamp"=>"2024-02-
25T03:40:43+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>52221, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"5c483eaf056a9d62f4387fe5b2e6565c", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&space=285",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"5.188.210.84",
"httpStatus"=>301, "sentBytes"=>509,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509685, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>496,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=30443&mode=al2&namber=41284&no=0&page=0&rev=1&space=285",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/117.0.0.0 Iron Safari/537.36", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.0",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:41:16,972][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:45+00:00", "timeStamp"=>"2024-02-
25T03:40:45+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP", "properties"=>{"host"=>"",
"clientPort"=>52372, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention",
"timeTaken"=>0.224e0, "transactionId"=>"d04494f58eadbca49c003e51e3001ce8",
"sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"", "clientIP"=>"5.188.210.84",
"httpStatus"=>403, "sentBytes"=>757,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509686, "contentType"=>"multipart/form-data;
boundary=8b202e0cb5c93", "originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>1771, "httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_2", "requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.221e0, "userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Iron Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.0", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:41:16,976][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:47+00:00", "timeStamp"=>"2024-02-
25T03:40:47+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>2728,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.61e-1,
"transactionId"=>"4d3dba64ecff6896ab0b6471d550c142", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=509440&no=0&rev", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.6", "httpStatus"=>200,
"sentBytes"=>6141, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509688, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=509440&no=0&rev",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"18210",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:41:16,987][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>40495, :content_length=>3735, :batch_offset=>0}
[2024-02-25T03:41:17,211][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:17,212][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20250
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25068
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20182
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20201
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20250
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25068
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20182
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20201
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:18,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:41:18,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:18,424][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:18,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:18,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:18,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:18,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:41:18,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:18,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:41:18,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:41:18,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:41:18,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:41:18,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:41:18,625][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:41:18,675][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:41:18,675][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:41:18,675][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:41:18,721][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:18,721][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:18,723][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:21,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:21,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:21,721][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:21,727][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.029851343S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.029783443S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.029758042S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.029755541S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.029701241S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.029691241S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.02967964S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.029682441S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.02967194S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.02966864S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.029665339S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.02966444S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.02966294S`)
[2024-02-25T03:41:21,728][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.029659939S`)
[2024-02-25T03:41:22,216][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:22,216][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25250
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20067
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25181
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25200
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25250
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20067
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25181
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25200
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:41:23,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:23,492][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:41:23,492][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:41:23,492][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:41:24,719][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:24,719][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:24,721][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:26,730][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.004896515S`)
[2024-02-25T03:41:26,730][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.004902515S`)
[2024-02-25T03:41:26,730][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.004869014S`)
[2024-02-25T03:41:26,730][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.029599379S`)
[2024-02-25T03:41:26,730][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.029579679S`)
[2024-02-25T03:41:27,221][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:27,221][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:27,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:27,720][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:27,720][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:27,721][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:28,314][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:41:28,316][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313505416//1261850
[2024-02-25T03:41:28,316][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313505416//1261850
[2024-02-25T03:41:28,316][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 1516 bytes.
[2024-02-25T03:41:28,367][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:41:28.315777397Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:57+00:00\", \"time\": \"2024-02-25T03:40:57+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.13\",\"clientPort\":4378,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&spa
ce=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":508,\"connectionSerialNumber\":509691,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5677435099c389
695de1fe70ca41771f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:40:57+00:00\", \"time\": \"2024-02-
25T03:40:57+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.13\",\"clientPort\":4378,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&spa
ce=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":508,\"connectionSerialNumber\":509691,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5677435099c389
695de1fe70ca41771f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:41:28,367][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:40:57+00:00", "timeStamp"=>"2024-02-25T03:40:57+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>4378, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"5677435099c389695de1fe70ca41771f",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.13",
"httpStatus"=>301, "sentBytes"=>508,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509691, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>382,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:41:28.315777397Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:40:57+00:00\", \"time\": \"2024-02-25T03:40:57+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.13\",\"clientPort\":4378,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&spa
ce=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":508,\"connectionSerialNumber\":509691,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5677435099c389
695de1fe70ca41771f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:40:57+00:00\", \"time\": \"2024-02-
25T03:40:57+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.13\",\"clientPort\":4378,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0\",\"requestUri\":\"\\/
cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&spa
ce=0\",\"userAgent\":\"Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":382,\"sentBytes\":508,\"connectionSerialNumber\":509691,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"5677435099c389
695de1fe70ca41771f\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:41:28,368][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:40:57+00:00", "timeStamp"=>"2024-02-
25T03:40:57+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>4378, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"5677435099c389695de1fe70ca41771f", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"185.191.171.13",
"httpStatus"=>301, "sentBytes"=>508,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509691, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>382,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mo=735&mode=al2&namber=5789364&no=0&page=80&rev=0&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:41:28,370][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>5219, :content_length=>1504, :batch_offset=>0}
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20250
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20250
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25067
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25067
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20181
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20181
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20200
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20200
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:28,425][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:28,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:28,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:28,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:41:28,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:41:28,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:28,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:28,606][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:41:28,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:41:28,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:41:28,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:41:28,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:41:28,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:41:28,675][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:41:28,675][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:41:28,675][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:41:30,723][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:30,723][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:30,725][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:31,732][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.004753512S`)
[2024-02-25T03:41:31,732][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.004894915S`)
[2024-02-25T03:41:31,732][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.004995717S`)
[2024-02-25T03:41:31,732][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.004936315S`)
[2024-02-25T03:41:31,732][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.004931216S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.004931716S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.004933615S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.004936015S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.004936916S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.004932115S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.004940116S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.004950916S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.004953016S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.004955216S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.004960016S`)
[2024-02-25T03:41:31,733][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.004962317S`)
[2024-02-25T03:41:32,225][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:32,225][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:32,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25249
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20066
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25249
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25181
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20066
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25200
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25181
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25200
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:33,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:33,492][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:41:33,493][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:41:33,493][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:41:33,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:33,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:33,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:36,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:36,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:36,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:36,735][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.004943216S`)
[2024-02-25T03:41:36,736][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.005396926S`)
[2024-02-25T03:41:37,231][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:37,231][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:38,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:38,426][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20248
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25066
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20248
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20180
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25066
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20199
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20180
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20199
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:38,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:38,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:41:38,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:41:38,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:41:38,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:41:38,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:41:38,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:41:38,675][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:41:38,676][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:41:38,676][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:41:39,624][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:41:39,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336289808//1261945
[2024-02-25T03:41:39,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336289808//1261945
[2024-02-25T03:41:39,626][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 3510 bytes.
[2024-02-25T03:41:39,626][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - schedule operation timer, current:
[2024-02-25T03:41:39.626331962Z], remaining: [60] secs
[2024-02-25T03:41:39,676][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:41:39.625422343Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:41:13+00:00\", \"time\": \"2024-02-25T03:41:13+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"23.94.162.190\",\"clientPort\":41655,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":785,\"sentBytes\":7689,\"connectionSerialNumber\":510168,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c319b79edfe7214a0c289694016e5705\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"49918\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:41:19+00:00\", \"time\": \"2024-02-25T03:41:19+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"5.188.210.91\",\"clientPort\":59867,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&space=0\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/108.0.0.0
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":486,\"sentBytes\":507,\"connectionSerialNumber\":510169,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6957d731a24768
41b01f98e8b24e1fab\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:41:13+00:00\", \"time\": \"2024-02-
25T03:41:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"23.94.162.190\",\"clientPort\":41655,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":785,\"sentBytes\":7689,\"connectionSerialNumber\":510168,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c319b79edfe7214a0c289694016e5705\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"49918\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:41:19+00:00\", \"time\": \"2024-02-25T03:41:19+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"5.188.210.91\",\"clientPort\":59867,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&space=0\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/108.0.0.0
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":486,\"sentBytes\":507,\"connectionSerialNumber\":510169,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6957d731a24768
41b01f98e8b24e1fab\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:41:39,677][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:41:13+00:00", "timeStamp"=>"2024-02-25T03:41:13+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>41655,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.65e-1,
"transactionId"=>"c319b79edfe7214a0c289694016e5705", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"23.94.162.190",
"httpStatus"=>200, "sentBytes"=>7689,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510168, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>785,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"49918",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:41:19+00:00",
"timeStamp"=>"2024-02-25T03:41:19+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>59867, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"6957d731a2476841b01f98e8b24e1fab",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&space=0", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"5.188.210.91", "httpStatus"=>301,
"sentBytes"=>507, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"", "connectionSerialNumber"=>510169, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>486,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/108.0.0.0 Safari/537.36", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.0",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}], "@timestamp"=>2024-02-
25T03:41:39.625422343Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:41:13+00:00\", \"time\": \"2024-02-25T03:41:13+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"23.94.162.190\",\"clientPort\":41655,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":785,\"sentBytes\":7689,\"connectionSerialNumber\":510168,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c319b79edfe7214a0c289694016e5705\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"49918\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:41:19+00:00\", \"time\": \"2024-02-25T03:41:19+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"5.188.210.91\",\"clientPort\":59867,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&space=0\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/108.0.0.0
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":486,\"sentBytes\":507,\"connectionSerialNumber\":510169,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6957d731a24768
41b01f98e8b24e1fab\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}", "event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-
02-25T03:41:13+00:00\", \"time\": \"2024-02-
25T03:41:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"23.94.162.190\",\"clientPort\":41655,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":785,\"sentBytes\":7689,\"connectionSerialNumber\":510168,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.006,\"timeTaken\":0.065,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"c319b79edfe7214a0c289694016e5705\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"49918\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{
\"timeStamp\": \"2024-02-25T03:41:19+00:00\", \"time\": \"2024-02-
25T03:41:19+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"5.188.210.91\",\"clientPort\":59867,\"ht
tpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&space=0\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&spac
e=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/108.0.0.0
Safari\\/537.36\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"http
Status\":301,\"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":486,\"sentBytes\":507,\"connectionSerialNumber\":510169,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"6957d731a24768
41b01f98e8b24e1fab\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}}]}"}}}
[2024-02-25T03:41:39,678][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:41:13+00:00", "timeStamp"=>"2024-02-
25T03:41:13+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>41655,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.65e-1,
"transactionId"=>"c319b79edfe7214a0c289694016e5705", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"WAFEvaluationTime"=>"0.000", "serverStatus"=>"200", "clientIP"=>"23.94.162.190",
"httpStatus"=>200, "sentBytes"=>7689,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510168, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>785,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.6e-2,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"49918",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:41:39,679][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:41:19+00:00", "timeStamp"=>"2024-02-
25T03:41:19+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>59867, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"6957d731a2476841b01f98e8b24e1fab", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&space=0", "WAFEvaluationTime"=>"",
"serverStatus"=>"", "clientIP"=>"5.188.210.91", "httpStatus"=>301,
"sentBytes"=>507, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"", "connectionSerialNumber"=>510169, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>486,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_4",
"requestQuery"=>"mo=18606&mode=al2&namber=41284&no=0&page=0&rev=1&space=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/108.0.0.0 Safari/537.36", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.0",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:41:39,686][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>2, :payload_size=>19722, :content_length=>2928, :batch_offset=>0}
[2024-02-25T03:41:39,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:39,717][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:39,725][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:42,235][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:42,235][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:42,711][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - schedule operation timer, current:
[2024-02-25T03:41:42.711486581Z], remaining: [60] secs
[2024-02-25T03:41:42,712][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], linkName[LN_c22bd3_1708832038545_dc7f_G9] - Reschedule operation timer,
current: [2024-02-25T03:41:42.712963513Z], remaining: [59] secs
[2024-02-25T03:41:42,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:42,717][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:42,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25249
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20066
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25180
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25249
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25199
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20066
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25180
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25199
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:43,427][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:43,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:43,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:43,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:41:43,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:43,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:43,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:43,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 1
[2024-02-25T03:41:43,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:43,493][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:41:43,493][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:41:43,493][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:41:45,443][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], linkName[LN_7535a2_1708832073460_45c_G10] - Reschedule operation timer,
current: [2024-02-25T03:41:45.443477986Z], remaining: [54] secs
[2024-02-25T03:41:45,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:45,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:45,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:46,740][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.030598365S`)
[2024-02-25T03:41:46,740][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.030572364S`)
[2024-02-25T03:41:46,740][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.030566665S`)
[2024-02-25T03:41:46,740][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.030535264S`)
[2024-02-25T03:41:46,740][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.030481763S`)
[2024-02-25T03:41:47,241][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:47,241][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:47,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:47,714][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is processing a batch of
size 1.
[2024-02-25T03:41:47,716][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Saving checkpoint: 1533336293384//1261946
[2024-02-25T03:41:47,716][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: updateCheckpoint() 1533336293384//1261946
[2024-02-25T03:41:47,717][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 finished processing a batch
of 5263 bytes.
[2024-02-25T03:41:47,767][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:41:47.716204588Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:41:12+00:00\", \"time\": \"2024-02-25T03:41:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"23.94.162.190\",\"clientPort\":38277,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":617,\"sentBytes\":518,\"connectionSerialNumber\":509712,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"c40d85e673683e
679b36d8148eda879a\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:41:13+00:00\", \"time\": \"2024-02-
25T03:41:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.9\",\"clientPort\":35618,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=5705943&no=0&rev=0\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=5705943&no=0&rev=0\",\"userAgent\":\"
Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":359,\"sentBytes\":6145,\"connectionSerialNumber\":509713,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.066,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"da24a22acd5c47c4225bdf6b323dc274\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"51938\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:41:16+00:00\", \"time\": \"2024-02-25T03:41:16+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.6\",\"clientPort\":46594,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=90741&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=90741&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509715,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.064,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"6e26a860ed5de067ee90c033cf5345f4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"51938\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:41:12+00:00\", \"time\": \"2024-02-
25T03:41:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"23.94.162.190\",\"clientPort\":38277,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":617,\"sentBytes\":518,\"connectionSerialNumber\":509712,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"c40d85e673683e
679b36d8148eda879a\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:41:13+00:00\", \"time\": \"2024-02-
25T03:41:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.9\",\"clientPort\":35618,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=5705943&no=0&rev=0\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=5705943&no=0&rev=0\",\"userAgent\":\"
Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":359,\"sentBytes\":6145,\"connectionSerialNumber\":509713,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.066,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"da24a22acd5c47c4225bdf6b323dc274\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"51938\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-25T03:41:16+00:00\",
\"time\": \"2024-02-25T03:41:16+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.6\",\"clientPort\":46594,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=90741&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=90741&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509715,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.064,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"6e26a860ed5de067ee90c033cf5345f4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"51938\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:41:47,768][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:41:12+00:00", "timeStamp"=>"2024-02-25T03:41:12+00:00",
"listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect", "properties"=>{"host"=>"",
"clientPort"=>38277, "sslProtocol"=>"", "serverRouted"=>"", "sslCipher"=>"",
"WAFMode"=>"", "timeTaken"=>0, "transactionId"=>"c40d85e673683e679b36d8148eda879a",
"sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"23.94.162.190",
"httpStatus"=>301, "sentBytes"=>518,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509712, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>617,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, {"time"=>"2024-02-
25T03:41:13+00:00", "timeStamp"=>"2024-02-25T03:41:13+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>35618,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.66e-1,
"transactionId"=>"da24a22acd5c47c4225bdf6b323dc274", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=5705943&no=0&rev=0", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"185.191.171.9", "httpStatus"=>200,
"sentBytes"=>6145, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509713, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>359,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=5705943&no=0&rev=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"51938",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, {"time"=>"2024-02-25T03:41:16+00:00",
"timeStamp"=>"2024-02-25T03:41:16+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>46594,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.64e-1,
"transactionId"=>"6e26a860ed5de067ee90c033cf5345f4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=90741&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.6", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509715, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=90741&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"51938",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:41:47.716204588Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:41:12+00:00\", \"time\": \"2024-02-25T03:41:12+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"23.94.162.190\",\"clientPort\":38277,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":617,\"sentBytes\":518,\"connectionSerialNumber\":509712,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"c40d85e673683e
679b36d8148eda879a\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:41:13+00:00\", \"time\": \"2024-02-
25T03:41:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.9\",\"clientPort\":35618,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=5705943&no=0&rev=0\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=5705943&no=0&rev=0\",\"userAgent\":\"
Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":359,\"sentBytes\":6145,\"connectionSerialNumber\":509713,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.066,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"da24a22acd5c47c4225bdf6b323dc274\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"51938\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:41:16+00:00\", \"time\": \"2024-02-25T03:41:16+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\",
\"operationName\": \"ApplicationGatewayAccess\", \"category\": \"ApplicationGatewa
yAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.6\",\"clientPort\":46594,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=90741&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=90741&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509715,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.064,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"6e26a860ed5de067ee90c033cf5345f4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"51938\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}", "event"=>{"original"=>"{\"records\":
[{ \"timeStamp\": \"2024-02-25T03:41:12+00:00\", \"time\": \"2024-02-
25T03:41:12+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTP_RepJP-
Redirect\", \"ruleName\": \"APG01_RoutingRule12_RepJP-
Redirect\", \"operationName\": \"ApplicationGatewayAccess\", \"category\": \"Applic
ationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"23.94.162.190\",\"clientPort\":38277,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0\",\"requestUri\":\"\
\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&
In=1&no=0\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox
One) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/114.0.0.0 Safari\\/537.36
Edge\\/44.18363.8131\",\"contentType\":\"\",\"error_info\":\"ERRORINFO_NO_ERROR\",\
"httpStatus\":301,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":617,\"sentBytes\":518,\"connectionSerialNumber\":509712,\"n
oOfConnectionRequests\":1,\"clientResponseTime\":0,\"timeTaken\":0,\"WAFEvaluationT
ime\":\"\",\"WAFMode\":\"\",\"WAFPolicyID\":\"\",\"transactionId\":\"c40d85e673683e
679b36d8148eda879a\",\"sslEnabled\":\"\",\"sslCipher\":\"\",\"sslProtocol\":\"\",\"
sslClientVerify\":\"\",\"sslClientCertificateFingerprint\":\"\",\"sslClientCertific
ateIssuerName\":\"\",\"serverRouted\":\"\",\"serverStatus\":\"\",\"serverResponseLa
tency\":\"\",\"upstreamSourcePort\":\"\",\"originalHost\":\"rep.jp.yokogawa.com\",\
"host\":\"\"}},{ \"timeStamp\": \"2024-02-25T03:41:13+00:00\", \"time\": \"2024-02-
25T03:41:13+00:00\", \"resourceId\": \"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-
3F0510C83CA3/RESOURCEGROUPS/RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/
APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.9\",\"clientPort\":35618,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=al2&namber=5705943&no=0&rev=0\",\"requestUri\":\"\\/cgi-
bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=al2&namber=5705943&no=0&rev=0\",\"userAgent\":\"
Mozilla\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":359,\"sentBytes\":6145,\"connectionSerialNumber\":509713,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.066,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"da24a22acd5c47c4225bdf6b323dc274\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.060\",\"upst
reamSourcePort\":\"51938\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}},{ \"timeStamp\": \"2024-02-
25T03:41:16+00:00\", \"time\": \"2024-02-25T03:41:16+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_2\",\"clientIP\":\"185.191.171.6\",\"clientPort\":46594,\"h
ttpMethod\":\"GET\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi?mode=res&namber=90741&no=0&page\",\"requestUri\":\"\\/cgi-bin\\/
fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"mode=res&namber=90741&no=0&page\",\"userAgent\":\"Moz
illa\\/5.0 (compatible; SemrushBot\\/7~bl;
+http:\\/\\/www.semrush.com\\/bot.html)\",\"contentType\":\"\",\"error_info\":\"ERR
ORINFO_NO_ERROR\",\"httpStatus\":200,\"httpVersion\":\"HTTP\\/
1.1\",\"receivedBytes\":356,\"sentBytes\":5974,\"connectionSerialNumber\":509715,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.005,\"timeTaken\":0.064,\"WAFEv
aluationTime\":\"0.000\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"6e26a860ed5de067ee90c033cf5345f4\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
10.0.9.146:80\",\"serverStatus\":\"200\",\"serverResponseLatency\":\"0.064\",\"upst
reamSourcePort\":\"51938\",\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"rep.
jp.yokogawa.com\"}}]}"}}}
[2024-02-25T03:41:47,769][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:41:12+00:00", "timeStamp"=>"2024-02-
25T03:41:12+00:00", "listenerName"=>"APG01_Listener12_HTTP_RepJP-Redirect",
"properties"=>{"host"=>"", "clientPort"=>38277, "sslProtocol"=>"",
"serverRouted"=>"", "sslCipher"=>"", "WAFMode"=>"", "timeTaken"=>0,
"transactionId"=>"c40d85e673683e679b36d8148eda879a", "sslClientVerify"=>"",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"WAFEvaluationTime"=>"", "serverStatus"=>"", "clientIP"=>"23.94.162.190",
"httpStatus"=>301, "sentBytes"=>518,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi", "WAFPolicyID"=>"",
"connectionSerialNumber"=>509712, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"", "receivedBytes"=>617,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&mo=6293&namber=5789364&space=0&rev=0&page=0&In=1&no=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0,
"userAgent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64; Xbox; Xbox One)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Edge/44.18363.8131", "upstreamSourcePort"=>"",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>""},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP-Redirect"}, :field=>"records"}
[2024-02-25T03:41:47,770][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:41:13+00:00", "timeStamp"=>"2024-02-
25T03:41:13+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>35618,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.66e-1,
"transactionId"=>"da24a22acd5c47c4225bdf6b323dc274", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=al2&namber=5705943&no=0&rev=0", "WAFEvaluationTime"=>"0.004",
"serverStatus"=>"200", "clientIP"=>"185.191.171.9", "httpStatus"=>200,
"sentBytes"=>6145, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509713, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>359,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=al2&namber=5705943&no=0&rev=0",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"51938",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.060"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:41:47,775][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:41:16+00:00", "timeStamp"=>"2024-02-
25T03:41:16+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP",
"properties"=>{"host"=>"rep.jp.yokogawa.com", "clientPort"=>46594,
"sslProtocol"=>"TLSv1.2", "serverRouted"=>"10.0.9.146:80", "sslCipher"=>"ECDHE-RSA-
AES256-GCM-SHA384", "WAFMode"=>"Prevention", "timeTaken"=>0.64e-1,
"transactionId"=>"6e26a860ed5de067ee90c033cf5345f4", "sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi?
mode=res&namber=90741&no=0&page", "WAFEvaluationTime"=>"0.000",
"serverStatus"=>"200", "clientIP"=>"185.191.171.6", "httpStatus"=>200,
"sentBytes"=>5974, "requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>509715, "contentType"=>"",
"originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on", "receivedBytes"=>356,
"httpMethod"=>"GET", "sslClientCertificateIssuerName"=>"", "instanceId"=>"appgw_2",
"requestQuery"=>"mode=res&namber=90741&no=0&page",
"error_info"=>"ERRORINFO_NO_ERROR", "clientResponseTime"=>0.5e-2,
"userAgent"=>"Mozilla/5.0 (compatible; SemrushBot/7~bl;
+http://www.semrush.com/bot.html)", "upstreamSourcePort"=>"51938",
"sslClientCertificateFingerprint"=>"", "httpVersion"=>"HTTP/1.1",
"noOfConnectionRequests"=>1, "serverResponseLatency"=>"0.064"},
"operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:41:47,778][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>3, :payload_size=>41137, :content_length=>3712, :batch_offset=>0}
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20248
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25065
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20248
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20179
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25065
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20198
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20179
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20198
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:41:48,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:48,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:41:48,607][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:41:48,608][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:41:48,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:41:48,626][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:41:48,627][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:41:48,676][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:41:48,676][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:41:48,676][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:41:48,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:48,717][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:48,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:50,614][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:41:50.614910086Z], remaining: [37] secs
[2024-02-25T03:41:50,615][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:41:50.615337496Z], remaining: [37] secs
[2024-02-25T03:41:50,708][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is processing a batch of
size 1.
[2024-02-25T03:41:50,710][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Saving checkpoint: 1533313507000//1261851
[2024-02-25T03:41:50,710][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryCheckpointManager]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: updateCheckpoint() 1533313507000//1261851
[2024-02-25T03:41:50,710][DEBUG][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 finished processing a batch
of 1814 bytes.
[2024-02-25T03:41:50,761][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Running json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "@timestamp"=>2024-02-
25T03:41:50.709607728Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:41:21+00:00\", \"time\": \"2024-02-25T03:41:21+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"5.188.210.91\",\"clientPort\":60036,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 6.1;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/108.0.0.0
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=e722d1adce552\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1753,\"sentBytes\":757,\"connectionSerialNumber\":510171,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.223,\"timeTaken\":0.228,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"8185d612bff06df6bea063ddde997e35\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:41:21+00:00\", \"time\": \"2024-02-25T03:41:21+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"5.188.210.91\",\"clientPort\":60036,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 6.1;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/108.0.0.0
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=e722d1adce552\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1753,\"sentBytes\":757,\"connectionSerialNumber\":510171,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.223,\"timeTaken\":0.228,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"8185d612bff06df6bea063ddde997e35\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:41:50,762][DEBUG][logstash.filters.json ][azure_waf_access]
[13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007] Event after json
filter {:event=>{"@version"=>"1", "type"=>"azure_waf", "records"=>[{"time"=>"2024-
02-25T03:41:21+00:00", "timeStamp"=>"2024-02-25T03:41:21+00:00",
"backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP", "properties"=>{"host"=>"",
"clientPort"=>60036, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention",
"timeTaken"=>0.228e0, "transactionId"=>"8185d612bff06df6bea063ddde997e35",
"sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"", "clientIP"=>"5.188.210.91",
"httpStatus"=>403, "sentBytes"=>757,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510171, "contentType"=>"multipart/form-data;
boundary=e722d1adce552", "originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>1753, "httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.223e0, "userAgent"=>"Mozilla/5.0 (Windows NT 6.1; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.0", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}], "@timestamp"=>2024-02-
25T03:41:50.709607728Z, "message"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:41:21+00:00\", \"time\": \"2024-02-25T03:41:21+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"5.188.210.91\",\"clientPort\":60036,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 6.1;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/108.0.0.0
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=e722d1adce552\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1753,\"sentBytes\":757,\"connectionSerialNumber\":510171,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.223,\"timeTaken\":0.228,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"8185d612bff06df6bea063ddde997e35\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}}]}",
"event"=>{"original"=>"{\"records\": [{ \"timeStamp\": \"2024-02-
25T03:41:21+00:00\", \"time\": \"2024-02-25T03:41:21+00:00\", \"resourceId\":
\"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2\", \"listenerName\": \"APG01_Listener12_HTTPS_RepJP\", \"ruleName\":
\"APG01_RoutingRule12_RepJP\", \"backendPoolName\": \"APG01_BackendPool12_RepJP\",
\"backendSettingName\": \"APG01_HTTP12_RepJP\", \"operationName\": \"ApplicationGat
ewayAccess\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\":
{\"instanceId\":\"appgw_4\",\"clientIP\":\"5.188.210.91\",\"clientPort\":60036,\"ht
tpMethod\":\"POST\",\"originalRequestUriWithArgs\":\"\\/cgi-bin\\/fam3cyber\\/
cbbs\\/cbbs.cgi\",\"requestUri\":\"\\/cgi-bin\\/fam3cyber\\/cbbs\\/
cbbs.cgi\",\"requestQuery\":\"\",\"userAgent\":\"Mozilla\\/5.0 (Windows NT 6.1;
Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/108.0.0.0
Safari\\/537.36\",\"contentType\":\"multipart\\/form-data;
boundary=e722d1adce552\",\"error_info\":\"ERRORINFO_NO_ERROR\",\"httpStatus\":403,\
"httpVersion\":\"HTTP\\/
1.0\",\"receivedBytes\":1753,\"sentBytes\":757,\"connectionSerialNumber\":510171,\"
noOfConnectionRequests\":1,\"clientResponseTime\":0.223,\"timeTaken\":0.228,\"WAFEv
aluationTime\":\"0.004\",\"WAFMode\":\"Prevention\",\"WAFPolicyID\":\"\\/
subscriptions\\/2bd75eb1-d088-445b-a7e3-3f0510c83ca3\\/resourceGroups\\/
RG_YAzureDMZ_APG01\\/providers\\/Microsoft.Network\\/
ApplicationGatewayWebApplicationFirewallPolicies\\/
APG01V2_WAFPolicy12_RepJP\",\"transactionId\":\"8185d612bff06df6bea063ddde997e35\",
\"sslEnabled\":\"on\",\"sslCipher\":\"ECDHE-RSA-AES256-GCM-
SHA384\",\"sslProtocol\":\"TLSv1.2\",\"sslClientVerify\":\"NONE\",\"sslClientCertif
icateFingerprint\":\"\",\"sslClientCertificateIssuerName\":\"\",\"serverRouted\":\"
\",\"serverStatus\":\"\",\"serverResponseLatency\":\"\",\"upstreamSourcePort\":\"\"
,\"originalHost\":\"rep.jp.yokogawa.com\",\"host\":\"\"}}]}"}}}
[2024-02-25T03:41:50,763][DEBUG][logstash.filters.split ][azure_waf_access]
[c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c] Split event
{:value=>{"time"=>"2024-02-25T03:41:21+00:00", "timeStamp"=>"2024-02-
25T03:41:21+00:00", "backendPoolName"=>"APG01_BackendPool12_RepJP",
"listenerName"=>"APG01_Listener12_HTTPS_RepJP", "properties"=>{"host"=>"",
"clientPort"=>60036, "sslProtocol"=>"TLSv1.2", "serverRouted"=>"",
"sslCipher"=>"ECDHE-RSA-AES256-GCM-SHA384", "WAFMode"=>"Prevention",
"timeTaken"=>0.228e0, "transactionId"=>"8185d612bff06df6bea063ddde997e35",
"sslClientVerify"=>"NONE",
"originalRequestUriWithArgs"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFEvaluationTime"=>"0.004", "serverStatus"=>"", "clientIP"=>"5.188.210.91",
"httpStatus"=>403, "sentBytes"=>757,
"requestUri"=>"/cgi-bin/fam3cyber/cbbs/cbbs.cgi",
"WAFPolicyID"=>"/subscriptions/2bd75eb1-d088-445b-a7e3-3f0510c83ca3/
resourceGroups/RG_YAzureDMZ_APG01/providers/Microsoft.Network/
ApplicationGatewayWebApplicationFirewallPolicies/APG01V2_WAFPolicy12_RepJP",
"connectionSerialNumber"=>510171, "contentType"=>"multipart/form-data;
boundary=e722d1adce552", "originalHost"=>"rep.jp.yokogawa.com", "sslEnabled"=>"on",
"receivedBytes"=>1753, "httpMethod"=>"POST", "sslClientCertificateIssuerName"=>"",
"instanceId"=>"appgw_4", "requestQuery"=>"", "error_info"=>"ERRORINFO_NO_ERROR",
"clientResponseTime"=>0.223e0, "userAgent"=>"Mozilla/5.0 (Windows NT 6.1; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"upstreamSourcePort"=>"", "sslClientCertificateFingerprint"=>"",
"httpVersion"=>"HTTP/1.0", "noOfConnectionRequests"=>1,
"serverResponseLatency"=>""}, "operationName"=>"ApplicationGatewayAccess",
"resourceId"=>"/SUBSCRIPTIONS/2BD75EB1-D088-445B-A7E3-3F0510C83CA3/RESOURCEGROUPS/
RG_YAZUREDMZ_APG01/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Y-
AZURE_APG01_V2", "backendSettingName"=>"APG01_HTTP12_RepJP",
"category"=>"ApplicationGatewayAccessLog",
"ruleName"=>"APG01_RoutingRule12_RepJP"}, :field=>"records"}
[2024-02-25T03:41:50,765][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
[002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529] Sending final
bulk request for batch.
{:action_count=>1, :payload_size=>6123, :content_length=>1793, :batch_offset=>0}
[2024-02-25T03:41:51,718][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:51,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:51,727][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:51,742][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.030011494S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.030092095S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.030086396S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.030094495S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.030083695S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.030068595S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.030038595S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.030017894S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.030001993S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.029984893S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.029968693S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.029955192S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.029918992S`)
[2024-02-25T03:41:51,743][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.029902091S`)
[2024-02-25T03:41:52,253][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:52,253][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:52,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:53,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:53,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25248
[2024-02-25T03:41:53,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20065
[2024-02-25T03:41:53,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25179
[2024-02-25T03:41:53,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25198
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 1
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:53,428][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 25247
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 20064
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 25178
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 25197
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:41:53,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:53,493][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: leaseRenewer()
[2024-02-25T03:41:53,493][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: renewLease()
[2024-02-25T03:41:53,493][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: scheduling leaseRenewer in 10
[2024-02-25T03:41:54,724][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:54,724][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:54,726][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:56,744][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.004310602S`)
[2024-02-25T03:41:56,745][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.004314103S`)
[2024-02-25T03:41:56,745][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.004272201S`)
[2024-02-25T03:41:56,745][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.029445422S`)
[2024-02-25T03:41:56,745][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.029496524S`)
[2024-02-25T03:41:57,261][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:41:57,261][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:41:57,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:41:57,717][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:41:57,718][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:41:57,719][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Starting lease scan
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20247
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25064
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20178
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20197
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Starting lease scan
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20247
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
leased 25064
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
leased 20178
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
leased 20197
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host ordinal: 1 Rotating leases to start at
2
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Accounting input: allLeaseStates size is 4
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host ordinal: 0 Rotating leases to start at
0
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Examining chunk at '2'[0] need 0
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Host count is 2 Desired owned count is 2
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: ourLeasesCount 2 leasesOwnedByOthers 2
unowned 0
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Examining chunk at '0'[0] need 0
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scanning took 0
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionScanner][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Short circuit: needed is 0, unowned is 0, or
off end
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Scheduling lease scanner in 5
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scanning took 0
[2024-02-25T03:41:58,429][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Scheduling lease scanner in 5
[2024-02-25T03:41:58,608][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: leaseRenewer()
[2024-02-25T03:41:58,608][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: renewLease()
[2024-02-25T03:41:58,608][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: scheduling leaseRenewer in 10
[2024-02-25T03:41:58,627][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: leaseRenewer()
[2024-02-25T03:41:58,627][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: renewLease()
[2024-02-25T03:41:58,627][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: scheduling leaseRenewer in 10
[2024-02-25T03:41:58,676][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: leaseRenewer()
[2024-02-25T03:41:58,676][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: renewLease()
[2024-02-25T03:41:58,676][DEBUG]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: scheduling leaseRenewer in 10
[2024-02-25T03:42:00,722][DEBUG][logstash.config.source.local.configpathloader]
Skipping the following files while reading config since they don't match the
specified glob pattern {:files=>["/etc/logstash/conf.d/ad.conf",
"/etc/logstash/conf.d/backup", "/etc/logstash/conf.d/cucm.cfg",
"/etc/logstash/conf.d/fireeyenx.cfg", "/etc/logstash/conf.d/fixed_ip_host.csv",
"/etc/logstash/conf.d/ids.cfg", "/etc/logstash/conf.d/input_file_gzipped.conf",
"/etc/logstash/conf.d/mcas.conf", "/etc/logstash/conf.d/mypipeline.cfg",
"/etc/logstash/conf.d/patterns", "/etc/logstash/conf.d/wsa.cfg",
"/etc/logstash/conf.d/yhq-awswaf.conf", "/etc/logstash/conf.d/yhq-azurewaf.conf",
"/etc/logstash/conf.d/yhq-azurewaf_20211227.conf", "/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf", "/etc/logstash/conf.d/yhq-cisco-asav-test.conf",
"/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf",
"/etc/logstash/conf.d/zscaler.conf", "/etc/logstash/conf.d/zscaler_firewall.conf"]}
[2024-02-25T03:42:00,722][DEBUG][logstash.config.source.local.configpathloader]
Reading config file {:config_file=>"/etc/logstash/conf.d/yhq-azurewaf-
accesslog.conf"}
[2024-02-25T03:42:00,724][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>0}
[2024-02-25T03:42:01,716][WARN ][logstash.runner ] SIGTERM received.
Shutting down.
[2024-02-25T03:42:01,744][DEBUG][logstash.agent ] Shutting down all
pipelines {:pipelines_count=>1}
[2024-02-25T03:42:01,752][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.010105527S`)
[2024-02-25T03:42:01,752][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.01022273S`)
[2024-02-25T03:42:01,752][DEBUG][logstash.agent ] Converging pipelines
state {:actions_count=>1}
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.01026283S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.010157128S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.010157228S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.010153428S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.010153029S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.010173729S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.010182428S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.010182429S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.010181429S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.010181328S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.010180829S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.010178629S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.010178028S`)
[2024-02-25T03:42:01,753][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.010178529S`)
[2024-02-25T03:42:01,755][DEBUG][logstash.agent ] Executing action
{:action=>LogStash::PipelineAction::StopAndDelete/pipeline_id:azure_waf_access}
[2024-02-25T03:42:01,784][DEBUG][logstash.javapipeline ] Closing inputs
{:pipeline_id=>"azure_waf_access", :thread=>"#<Thread:0x3de9cd2d
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 sleep>"}
[2024-02-25T03:42:01,786][DEBUG][logstash.inputs.azureeventhubs] Stopping
{:plugin=>"LogStash::Inputs::AzureEventHubs"}
[2024-02-25T03:42:01,788][DEBUG][logstash.javapipeline ] Closed inputs
{:pipeline_id=>"azure_waf_access", :thread=>"#<Thread:0x3de9cd2d
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 sleep>"}
[2024-02-25T03:42:01,973][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Unregistering
Event Hub this can take a while... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:42:01,974][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Stopping event processing
[2024-02-25T03:42:01,974][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Shutting down all pumps
[2024-02-25T03:42:01,974][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: closing pump for reason Shutdown
[2024-02-25T03:42:01,974][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: pump shutdown for reason Shutdown
[2024-02-25T03:42:01,974][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: closing pump for reason Shutdown
[2024-02-25T03:42:01,974][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: pump shutdown for reason Shutdown
[2024-02-25T03:42:01,976][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Setting receive handler to null
[2024-02-25T03:42:01,976][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Setting receive handler to null
[2024-02-25T03:42:02,010][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Unregistering
Event Hub this can take a while... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:42:02,010][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Stopping event processing
[2024-02-25T03:42:02,010][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Shutting down all pumps
[2024-02-25T03:42:02,010][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: closing pump for reason Shutdown
[2024-02-25T03:42:02,010][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: pump shutdown for reason Shutdown
[2024-02-25T03:42:02,010][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: closing pump for reason Shutdown
[2024-02-25T03:42:02,010][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: pump shutdown for reason Shutdown
[2024-02-25T03:42:02,010][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Setting receive handler to null
[2024-02-25T03:42:02,010][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Setting receive handler to null
[2024-02-25T03:42:02,267][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:02,267][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:02,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:06,755][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.010419534S`)
[2024-02-25T03:42:06,755][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.010501835S`)
[2024-02-25T03:42:06,862][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>28, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:42:06,869][ERROR][org.logstash.execution.ShutdownWatcherExt] The
shutdown process appears to be stalled due to busy or blocked plugins. Check the
logs for more information.
[2024-02-25T03:42:07,272][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:07,272][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:07,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:07,966][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (0) as per the request.
[2024-02-25T03:42:07,966][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Closing EH receiver
[2024-02-25T03:42:07,966][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367]
[2024-02-25T03:42:07,966][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver]
[2024-02-25T03:42:07,966][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:42:07,967][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
linkName[LN_f9801c_1708832068620_e07_G30], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:07,967][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
linkName[LN_f9801c_1708832068620_e07_G30], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:07,967][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_dea4fe_1708832068367], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:42:07,968][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-
InternalReceiver], linkName[LN_f9801c_1708832068620_e07_G30], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:07,968][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_fa3633_1708832068590_MF_dea4fe_1708832068367-InternalReceiver],
linkName[LN_f9801c_1708832068620_e07_G30], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:07,968][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], entityName[MF_dea4fe_1708832068367], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:42:07,968][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: Closing EH client
[2024-02-25T03:42:07,968][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_4d7d71_1708832068367]
[2024-02-25T03:42:07,968][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_dea4fe_1708832068367]
[2024-02-25T03:42:07,969][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_dea4fe_1708832068367], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:07,969][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:07,969][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:07,969][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:07,969][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_dea4fe_1708832068367],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:42:07,969][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:07,969][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_dea4fe_1708832068367],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_dea4fe_1708832068367], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_dea4fe_1708832068367],
errorCondition[null], errorDescription[null]
[2024-02-25T03:42:07,970][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_dea4fe_1708832068367], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_dea4fe_1708832068367], error[n/a]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_dea4fe_1708832068367], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_dea4fe_1708832068367], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:42:07,970][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_dea4fe_1708832068367], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:42:07,970][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_dea4fe_1708832068367], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0], condition[null],
description[null]
[2024-02-25T03:42:07,970][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_dea4fe_1708832068367], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:07,970][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_dea4fe_1708832068367], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:42:07,970][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is closing.
(reason=Shutdown)
[2024-02-25T03:42:07,970][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: releaseLease()
[2024-02-25T03:42:07,970][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(0)
leased 20706
[2024-02-25T03:42:07,970][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 0: releaseLease() released OK
[2024-02-25T03:42:11,884][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>28, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:42:12,276][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:12,276][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:12,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:16,759][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=347708838} forced-compaction result
(captures: `13` span: `PT1M0.034398042S`)
[2024-02-25T03:42:16,759][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1975461151} forced-compaction result
(captures: `13` span: `PT1M0.034402142S`)
[2024-02-25T03:42:16,759][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=834359250} forced-compaction result
(captures: `13` span: `PT1M0.034370042S`)
[2024-02-25T03:42:16,760][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=212501865} forced-compaction result
(captures: `13` span: `PT1M0.034366841S`)
[2024-02-25T03:42:16,760][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1420193271} forced-compaction result
(captures: `13` span: `PT1M0.034370441S`)
[2024-02-25T03:42:16,898][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>28, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:42:17,283][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:17,284][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:17,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:21,762][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1185004608} forced-compaction result
(captures: `13` span: `PT1M0.034886469S`)
[2024-02-25T03:42:21,762][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=470312551} forced-compaction result
(captures: `13` span: `PT1M0.034938569S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1089746968} forced-compaction result
(captures: `13` span: `PT1M0.03495087S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=852728684} forced-compaction result
(captures: `13` span: `PT1M0.03495357S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2044420810} forced-compaction result
(captures: `13` span: `PT1M0.03495457S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=650053832} forced-compaction result
(captures: `13` span: `PT1M0.03495867S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1206567167} forced-compaction result
(captures: `13` span: `PT1M0.03496027S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1766603669} forced-compaction result
(captures: `13` span: `PT1M0.034955969S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1260640580} forced-compaction result
(captures: `13` span: `PT1M0.03495627S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=352608672} forced-compaction result
(captures: `13` span: `PT1M0.03495757S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=83404487} forced-compaction result
(captures: `13` span: `PT1M0.034960671S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=216053086} forced-compaction result
(captures: `13` span: `PT1M0.03496057S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1499243647} forced-compaction result
(captures: `13` span: `PT1M0.03496157S`)
[2024-02-25T03:42:21,763][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=1877198741} forced-compaction result
(captures: `13` span: `PT1M0.034964071S`)
[2024-02-25T03:42:21,911][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>28, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:42:22,288][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:22,288][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:22,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:26,765][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1206079401} forced-compaction result (captures: `3` span: `PT10.005198253S`)
[2024-02-25T03:42:26,765][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=725814568} forced-compaction result (captures: `3` span: `PT10.005212853S`)
[2024-02-25T03:42:26,765][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1730595321} forced-compaction result (captures: `3` span: `PT10.005213153S`)
[2024-02-25T03:42:26,765][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=2047832316} forced-compaction result
(captures: `13` span: `PT1M0.034769582S`)
[2024-02-25T03:42:26,765][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric]
RetentionWindow{policy=last_1_minute id=267304298} forced-compaction result
(captures: `13` span: `PT1M0.034795882S`)
[2024-02-25T03:42:26,928][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>28, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:42:27,292][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:27,293][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:27,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:28,316][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:42:28.316533005Z], remaining: [22] secs
[2024-02-25T03:42:28,316][DEBUG]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], linkName[LN_163586_1708832038575_634_G17] - Reschedule operation timer,
current: [2024-02-25T03:42:28.316777810Z], remaining: [22] secs
[2024-02-25T03:42:31,337][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (3) as per the request.
[2024-02-25T03:42:31,337][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Closing EH receiver
[2024-02-25T03:42:31,337][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364]
[2024-02-25T03:42:31,337][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver]
[2024-02-25T03:42:31,337][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:42:31,338][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
linkName[LN_163586_1708832038575_634_G17], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:31,338][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
linkName[LN_163586_1708832038575_634_G17], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:31,338][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], entityName[MF_1e7a59_1708832038364], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:42:31,339][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-
InternalReceiver], linkName[LN_163586_1708832038575_634_G17], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:31,339][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_bbb34e_1708832038486_MF_1e7a59_1708832038364-InternalReceiver],
linkName[LN_163586_1708832038575_634_G17], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:31,339][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], entityName[MF_1e7a59_1708832038364], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:42:31,339][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: Closing EH client
[2024-02-25T03:42:31,339][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_7a410d_1708832038364]
[2024-02-25T03:42:31,339][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_1e7a59_1708832038364]
[2024-02-25T03:42:31,339][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_1e7a59_1708832038364], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:31,340][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_1e7a59_1708832038364],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_1e7a59_1708832038364],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:42:31,340][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_1e7a59_1708832038364], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:42:31,341][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_1e7a59_1708832038364],
errorCondition[null], errorDescription[null]
[2024-02-25T03:42:31,341][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_1e7a59_1708832038364], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:42:31,341][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_1e7a59_1708832038364], error[n/a]
[2024-02-25T03:42:31,341][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_1e7a59_1708832038364], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:42:31,341][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_1e7a59_1708832038364], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:42:31,341][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_1e7a59_1708832038364], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:42:31,341][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_1e7a59_1708832038364], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3], condition[null],
description[null]
[2024-02-25T03:42:31,341][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_1e7a59_1708832038364], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:31,341][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_1e7a59_1708832038364], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:42:31,341][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is closing.
(reason=Shutdown)
[2024-02-25T03:42:31,341][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 3: releaseLease()
[2024-02-25T03:42:31,341][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(3)
expired -2714
[2024-02-25T03:42:31,767][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=540156057} forced-compaction result (captures: `3` span: `PT10.005228053S`)
[2024-02-25T03:42:31,767][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1346215174} forced-compaction result (captures: `3` span: `PT10.005368956S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=827149645} forced-compaction result (captures: `3` span: `PT10.005389557S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=235286487} forced-compaction result (captures: `3` span: `PT10.005286055S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1065480294} forced-compaction result (captures: `3` span: `PT10.005301055S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=57188157} forced-compaction result (captures: `3` span: `PT10.005300156S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1486130488} forced-compaction result (captures: `3` span: `PT10.005301655S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1741908330} forced-compaction result (captures: `3` span: `PT10.005303255S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1466017590} forced-compaction result (captures: `3` span: `PT10.005303455S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=272063376} forced-compaction result (captures: `3` span: `PT10.005304956S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1815538147} forced-compaction result (captures: `3` span: `PT10.005306255S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=273831222} forced-compaction result (captures: `3` span: `PT10.005307655S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1255151645} forced-compaction result (captures: `3` span: `PT10.005306155S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1620128012} forced-compaction result (captures: `3` span: `PT10.005315555S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1001633036} forced-compaction result (captures: `3` span: `PT10.005316556S`)
[2024-02-25T03:42:31,768][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=969583785} forced-compaction result (captures: `3` span: `PT10.005316855S`)
[2024-02-25T03:42:31,940][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>28, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:42:32,299][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:32,300][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:32,307][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:33,138][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (1) as per the request.
[2024-02-25T03:42:33,138][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Closing EH receiver
[2024-02-25T03:42:33,138][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362]
[2024-02-25T03:42:33,138][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver]
[2024-02-25T03:42:33,138][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:42:33,138][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
linkName[LN_7535a2_1708832073460_45c_G10], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:33,138][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
linkName[LN_7535a2_1708832073460_45c_G10], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:33,138][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], entityName[MF_a4f1ec_1708832073362], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:42:33,140][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-
InternalReceiver], linkName[LN_7535a2_1708832073460_45c_G10], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:33,140][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_d3f17e_1708832073419_MF_a4f1ec_1708832073362-InternalReceiver],
linkName[LN_7535a2_1708832073460_45c_G10], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:33,140][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], entityName[MF_a4f1ec_1708832073362], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:42:33,140][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: Closing EH client
[2024-02-25T03:42:33,140][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_38d116_1708832073362]
[2024-02-25T03:42:33,140][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_a4f1ec_1708832073362]
[2024-02-25T03:42:33,140][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_a4f1ec_1708832073362], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:33,141][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:33,141][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:33,141][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:33,141][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_a4f1ec_1708832073362],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:42:33,142][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:33,142][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:33,142][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:33,142][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:33,142][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_a4f1ec_1708832073362],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:42:33,142][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_a4f1ec_1708832073362], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:42:33,142][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_a4f1ec_1708832073362],
errorCondition[null], errorDescription[null]
[2024-02-25T03:42:33,142][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_a4f1ec_1708832073362], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:42:33,142][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_a4f1ec_1708832073362], error[n/a]
[2024-02-25T03:42:33,143][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_a4f1ec_1708832073362], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:42:33,143][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_a4f1ec_1708832073362], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:42:33,143][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_a4f1ec_1708832073362], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:42:33,143][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_a4f1ec_1708832073362], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1], condition[null],
description[null]
[2024-02-25T03:42:33,143][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_a4f1ec_1708832073362], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:33,143][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_a4f1ec_1708832073362], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:42:33,143][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is closing.
(reason=Shutdown)
[2024-02-25T03:42:33,143][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: 1: releaseLease()
[2024-02-25T03:42:33,143][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(1)
expired -9650
[2024-02-25T03:42:33,143][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
f056301f-f62d-4924-9f8c-3fe735190fe6: Partition manager exiting
[2024-02-25T03:42:33,144][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is closed.
[2024-02-25T03:42:36,770][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=2108110993} forced-compaction result (captures: `3` span: `PT10.005018649S`)
[2024-02-25T03:42:36,770][DEBUG]
[org.logstash.instrument.metrics.ExtendedFlowMetric] RetentionWindow{policy=current
id=1130893468} forced-compaction result (captures: `3` span: `PT10.005160553S`)
[2024-02-25T03:42:36,953][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>28, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:42:37,305][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:37,305][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:37,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:41,965][WARN ][org.logstash.execution.ShutdownWatcherExt]
{"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>35,
"name"=>"[azure_waf_access]<azure_event_hubs",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/logstash-input-
azure_event_hubs-1.4.5/lib/logstash/inputs/azure_event_hubs.rb:470:in `block in
join'"}, {"thread_id"=>28, "name"=>"[azure_waf_access]-pipeline-manager",
"current_call"=>"[...]/vendor/bundle/jruby/3.1.0/gems/thwait-0.2.0/lib/
thwait.rb:112:in `pop'"}], ["LogStash::Filters::GeoIP", {"source"=>"[records]
[properties][clientIP]", "target"=>"geoip",
"id"=>"b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9"}]=>[{"thre
ad_id"=>34, "name"=>"[azure_waf_access]>worker0", "current_call"=>"[...]/logstash-
core/lib/logstash/java_pipeline.rb:304:in `block in start_workers'"}]}}
[2024-02-25T03:42:42,305][DEBUG][org.logstash.execution.PeriodicFlush]
[azure_waf_access] Pushing flush onto pipeline.
[2024-02-25T03:42:42,316][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Young Generation"}
[2024-02-25T03:42:42,316][DEBUG][logstash.instrument.periodicpoller.jvm] collector
name {:name=>"G1 Old Generation"}
[2024-02-25T03:42:42,712][INFO ][com.microsoft.azure.eventhubs.impl.ReceivePump]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Stopping receive
pump for eventHub (insights-logs-applicationgatewayaccesslog), consumerGroup
($Default), partition (2) as per the request.
[2024-02-25T03:42:42,712][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Closing EH receiver
[2024-02-25T03:42:42,712][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383]
[2024-02-25T03:42:42,712][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver]
[2024-02-25T03:42:42,712][INFO ]
[com.microsoft.azure.eventhubs.impl.ActiveClientTokenManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientEntity[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver] -
canceling ActiveClientLinkManager
[2024-02-25T03:42:42,712][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
linkName[LN_c22bd3_1708832038545_dc7f_G9], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:42,712][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
linkName[LN_c22bd3_1708832038545_dc7f_G9], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:42,713][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], entityName[MF_00b33c_1708832038383], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:42:42,715][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[PR_539107_1708832038496_MF_00b33c_1708832038383-
InternalReceiver], linkName[LN_c22bd3_1708832038545_dc7f_G9], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:42,715][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[PR_539107_1708832038496_MF_00b33c_1708832038383-InternalReceiver],
linkName[LN_c22bd3_1708832038545_dc7f_G9], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:42,715][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteClose
connectionId[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], entityName[MF_00b33c_1708832038383], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:42:42,715][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: Closing EH client
[2024-02-25T03:42:42,715][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_429069_1708832038383]
[2024-02-25T03:42:42,715][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_00b33c_1708832038383]
[2024-02-25T03:42:42,716][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_00b33c_1708832038383], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:42,716][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:42,716][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:42,716][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:42,716][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[cbs-session], entityName[MF_00b33c_1708832038383],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:sender], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[cbs], linkName[cbs:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_00b33c_1708832038383],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_00b33c_1708832038383], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[cbsChannel closed]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_00b33c_1708832038383],
errorCondition[null], errorDescription[null]
[2024-02-25T03:42:42,727][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_00b33c_1708832038383], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_00b33c_1708832038383], error[n/a]
[2024-02-25T03:42:42,727][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_00b33c_1708832038383], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:42:42,728][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_00b33c_1708832038383], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:42:42,728][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_00b33c_1708832038383], entityName[cbs-session], condition[null],
description[null]
[2024-02-25T03:42:42,728][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_00b33c_1708832038383], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2], condition[null],
description[null]
[2024-02-25T03:42:42,728][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_00b33c_1708832038383], errorCondition[null], errorDescription[null]
[2024-02-25T03:42:42,728][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_00b33c_1708832038383], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:42:42,728][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is closing.
(reason=Shutdown)
[2024-02-25T03:42:42,728][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: 2: releaseLease()
[2024-02-25T03:42:42,728][DEBUG]
[com.microsoft.azure.eventprocessorhost.InMemoryLeaseManager$InMemoryLease]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] isExpired(2)
expired -14120
[2024-02-25T03:42:42,728][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
c87726d9-a7c4-448f-a604-503c9c65536a: Partition manager exiting
[2024-02-25T03:42:42,729][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is closed.
[2024-02-25T03:42:42,747][DEBUG][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Closing
{:plugin=>"LogStash::Inputs::AzureEventHubs"}
[2024-02-25T03:42:42,757][DEBUG][logstash.pluginmetadata ][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Removing
metadata for plugin
e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8
[2024-02-25T03:42:42,759][DEBUG][logstash.javapipeline ][azure_waf_access] Input
plugins stopped! Will shutdown filter/output workers.
{:pipeline_id=>"azure_waf_access", :thread=>"#<Thread:0x3de9cd2d
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:42:42,770][DEBUG][logstash.javapipeline ][azure_waf_access]
Shutdown waiting for worker thread
{:pipeline_id=>"azure_waf_access", :thread=>"#<LogStash::WorkerLoopThread:0x6e9c0f5
6 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300 run>"}
[2024-02-25T03:42:42,830][DEBUG][logstash.filters.split ][azure_waf_access]
Closing {:plugin=>"LogStash::Filters::Split"}
[2024-02-25T03:42:42,831][DEBUG][logstash.pluginmetadata ][azure_waf_access]
Removing metadata for plugin
c9dc54bab189bcc2e72eeb2fbd060cc34f16257f502c7ae071523926284f8c3c
[2024-02-25T03:42:42,832][DEBUG][logstash.filters.json ][azure_waf_access]
Closing {:plugin=>"LogStash::Filters::Json"}
[2024-02-25T03:42:42,832][DEBUG][logstash.pluginmetadata ][azure_waf_access]
Removing metadata for plugin
13030e5da7228f05c45b370a60d186125de0fce1dc2c99da1981116dcdcee007
[2024-02-25T03:42:42,832][DEBUG][logstash.filters.geoip ][azure_waf_access]
Closing {:plugin=>"LogStash::Filters::GeoIP"}
[2024-02-25T03:42:42,841][DEBUG][logstash.pluginmetadata ][azure_waf_access]
Removing metadata for plugin
b2323a9d19abd7b3641896e41fcf9bd4c96b0c23f55974764be057edaa778ce9
[2024-02-25T03:42:42,841][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Closing {:plugin=>"LogStash::Outputs::ElasticSearch"}
[2024-02-25T03:42:42,853][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Stopping sniffer
[2024-02-25T03:42:42,861][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Stopping resurrectionist
[2024-02-25T03:42:43,739][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Waiting for in use manticore connections
[2024-02-25T03:42:43,751][DEBUG][logstash.outputs.elasticsearch][azure_waf_access]
Closing adapter
#<LogStash::Outputs::ElasticSearch::HttpClient::ManticoreAdapter:0x2691ce46>
[2024-02-25T03:42:43,780][DEBUG][logstash.pluginmetadata ][azure_waf_access]
Removing metadata for plugin
002863306c3be9a7ef2cc1f5800ce366a73b96b72ca00b8328b725d162527529
[2024-02-25T03:42:43,789][DEBUG][logstash.javapipeline ][azure_waf_access]
Pipeline has been shutdown
{:pipeline_id=>"azure_waf_access", :thread=>"#<Thread:0x3de9cd2d
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:42:43,790][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline terminated {"pipeline.id"=>"azure_waf_access"}
[2024-02-25T03:42:44,044][INFO ][logstash.pipelinesregistry] Removed pipeline from
registry successfully {:pipeline_id=>:azure_waf_access}
[2024-02-25T03:42:44,056][DEBUG][logstash.instrument.periodicpoller.os] Stopping
[2024-02-25T03:42:44,083][DEBUG][logstash.instrument.periodicpoller.jvm] Stopping
[2024-02-25T03:42:44,084][DEBUG]
[logstash.instrument.periodicpoller.persistentqueue] Stopping
[2024-02-25T03:42:44,084][DEBUG]
[logstash.instrument.periodicpoller.deadletterqueue] Stopping
[2024-02-25T03:42:44,084][DEBUG][logstash.instrument.periodicpoller.flowrate]
Stopping
[2024-02-25T03:42:44,137][DEBUG][logstash.agent ] API WebServer has
stopped running
[2024-02-25T03:42:44,137][INFO ][logstash.runner ] Logstash shut down.
[2024-02-25T03:45:22,167][INFO ][logstash.runner ] Log4j configuration
path used is: /etc/logstash/log4j2.properties
[2024-02-25T03:45:22,197][INFO ][logstash.runner ] Starting Logstash
{"logstash.version"=>"8.11.4", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02
1abae2700f OpenJDK 64-Bit Server VM 17.0.9+9 on 17.0.9+9 +indy +jit [x86_64-
linux]"}
[2024-02-25T03:45:22,208][INFO ][logstash.runner ] JVM bootstrap flags: [-
Xms4g, -Xmx4g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -
Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -
Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -
Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true,
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-
UNNAMED, -Djdk.io.File.enableADS=true,
--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-
exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED,
--add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-
UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-
opens=java.base/sun.nio.ch=ALL-UNNAMED,
--add-opens=java.management/sun.management=ALL-UNNAMED]
[2024-02-25T03:45:26,147][INFO ][logstash.agent ] Successfully started
Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2024-02-25T03:45:30,219][INFO ][org.reflections.Reflections] Reflections took 657
ms to scan 1 urls, producing 131 keys and 463 values
[2024-02-25T03:45:35,224][INFO ][logstash.javapipeline ] Pipeline `cucm` is
configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this
pipeline will default to `ecs_compatibility => v8` unless explicitly configured
otherwise.
[2024-02-25T03:45:35,261][INFO ][logstash.javapipeline ] Pipeline
`yhq_cisco_asav_azure` is configured with `pipeline.ecs_compatibility: v8` setting.
All plugins in this pipeline will default to `ecs_compatibility => v8` unless
explicitly configured otherwise.
[2024-02-25T03:45:35,278][INFO ][logstash.javapipeline ] Pipeline
`azure_waf_access` is configured with `pipeline.ecs_compatibility: v8` setting. All
plugins in this pipeline will default to `ecs_compatibility => v8` unless
explicitly configured otherwise.
[2024-02-25T03:45:35,287][INFO ][logstash.javapipeline ] Pipeline
`PA_FactoryPA_ThreatIntel` is configured with `pipeline.ecs_compatibility: v8`
setting. All plugins in this pipeline will default to `ecs_compatibility => v8`
unless explicitly configured otherwise.
[2024-02-25T03:45:35,308][INFO ][logstash.javapipeline ] Pipeline `zscaler` is
configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this
pipeline will default to `ecs_compatibility => v8` unless explicitly configured
otherwise.
[2024-02-25T03:45:35,554][INFO ][logstash.outputs.elasticsearch]
[yhq_cisco_asav_azure] New Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:45:35,556][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] New Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:45:35,556][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
New Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:45:35,572][INFO ][logstash.outputs.elasticsearch][cucm] New
Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:45:35,581][INFO ][logstash.outputs.elasticsearch][zscaler] New
Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:45:36,230][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Elasticsearch pool URLs updated {:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:45:36,249][INFO ][logstash.outputs.elasticsearch][cucm]
Elasticsearch pool URLs updated {:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:45:36,238][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Elasticsearch pool URLs updated
{:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:45:36,266][INFO ][logstash.outputs.elasticsearch]
[yhq_cisco_asav_azure] Elasticsearch pool URLs updated
{:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:45:36,229][INFO ][logstash.outputs.elasticsearch][zscaler]
Elasticsearch pool URLs updated {:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:45:37,970][WARN ][logstash.outputs.elasticsearch][cucm] Restored
connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:45:37,972][WARN ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Restored connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:45:37,993][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Elasticsearch version determined (8.10.3)
{:es_version=>8}
[2024-02-25T03:45:37,998][WARN ][logstash.outputs.elasticsearch][azure_waf_access]
Restored connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:45:38,001][WARN ][logstash.outputs.elasticsearch][zscaler] Restored
connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:45:38,002][INFO ][logstash.outputs.elasticsearch][zscaler]
Elasticsearch version determined (8.10.3) {:es_version=>8}
[2024-02-25T03:45:38,003][WARN ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Detected a 6.x and above cluster: the `type` event field
won't be used to determine the document _type {:es_version=>8}
[2024-02-25T03:45:38,009][INFO ][logstash.outputs.elasticsearch][cucm]
Elasticsearch version determined (8.10.3) {:es_version=>8}
[2024-02-25T03:45:38,010][WARN ][logstash.outputs.elasticsearch][cucm] Detected a
6.x and above cluster: the `type` event field won't be used to determine the
document _type {:es_version=>8}
[2024-02-25T03:45:38,017][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Elasticsearch version determined (8.10.3) {:es_version=>8}
[2024-02-25T03:45:38,018][WARN ][logstash.outputs.elasticsearch][azure_waf_access]
Detected a 6.x and above cluster: the `type` event field won't be used to determine
the document _type {:es_version=>8}
[2024-02-25T03:45:38,020][WARN ][logstash.outputs.elasticsearch][zscaler] Detected
a 6.x and above cluster: the `type` event field won't be used to determine the
document _type {:es_version=>8}
[2024-02-25T03:45:38,038][WARN ][logstash.outputs.elasticsearch]
[yhq_cisco_asav_azure] Restored connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:45:38,038][INFO ][logstash.outputs.elasticsearch]
[yhq_cisco_asav_azure] Elasticsearch version determined (8.10.3) {:es_version=>8}
[2024-02-25T03:45:38,039][WARN ][logstash.outputs.elasticsearch]
[yhq_cisco_asav_azure] Detected a 6.x and above cluster: the `type` event field
won't be used to determine the document _type {:es_version=>8}
[2024-02-25T03:45:38,148][INFO ][logstash.outputs.elasticsearch][cucm] Not eligible
for data streams because config contains one or more settings that are not
compatible with data streams: {"ilm_enabled"=>"true",
"ilm_rollover_alias"=>"yokogawa-yhq-cucm", "ilm_policy"=>"yokogawa-ilm-policy",
"ilm_pattern"=>"000001"}
[2024-02-25T03:45:38,149][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Not eligible for data streams because config contains one or more settings that are
not compatible with data streams: {"ilm_enabled"=>"true",
"ilm_rollover_alias"=>"yokogawa-azure-waf", "ilm_policy"=>"yokogawa-ilm-policy",
"ilm_pattern"=>"000001"}
[2024-02-25T03:45:38,150][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Not eligible for data streams because config contains
one or more settings that are not compatible with data streams:
{"index"=>"yokogawa-global-threatintel"}
[2024-02-25T03:45:38,158][INFO ][logstash.outputs.elasticsearch][zscaler] Not
eligible for data streams because config contains one or more settings that are not
compatible with data streams: {"ilm_enabled"=>"true",
"ilm_rollover_alias"=>"yokogawa-yhq-zscaler1", "ilm_policy"=>"yokogawa-ilm-policy",
"ilm_pattern"=>"000001"}
[2024-02-25T03:45:38,159][INFO ][logstash.outputs.elasticsearch][zscaler] Data
streams auto configuration (`data_stream => auto` or unset) resolved to `false`
[2024-02-25T03:45:38,172][INFO ][logstash.outputs.elasticsearch]
[yhq_cisco_asav_azure] Not eligible for data streams because config contains one or
more settings that are not compatible with data streams: {"ilm_enabled"=>"true",
"ilm_rollover_alias"=>"yokogawa-yhq-cisco-asav-azure", "ilm_policy"=>"yokogawa-ilm-
policy", "ilm_pattern"=>"000001"}
[2024-02-25T03:45:38,172][INFO ][logstash.outputs.elasticsearch]
[yhq_cisco_asav_azure] Data streams auto configuration (`data_stream => auto` or
unset) resolved to `false`
[2024-02-25T03:45:38,190][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Data streams auto configuration (`data_stream => auto`
or unset) resolved to `false`
[2024-02-25T03:45:38,220][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Data streams auto configuration (`data_stream => auto` or unset) resolved to
`false`
[2024-02-25T03:45:38,230][INFO ][logstash.outputs.elasticsearch][cucm] Data streams
auto configuration (`data_stream => auto` or unset) resolved to `false`
[2024-02-25T03:45:38,239][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] New Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:45:38,303][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Elasticsearch pool URLs updated
{:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:45:38,393][INFO ][logstash.filters.json ][azure_waf_access] ECS
compatibility is enabled but `target` option was not specified. This may cause
fields to be set at the top-level of the event where they are likely to clash with
the Elastic Common Schema. It is recommended to set the `target` option to avoid
potential schema conflicts (if your data is ECS compliant or non-conflicting, feel
free to ignore this message)
[2024-02-25T03:45:38,392][WARN ][logstash.filters.grok ][zscaler] ECS v8 support
is a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of
the Elastic Common Schema becomes available, this plugin will need to be updated
[2024-02-25T03:45:38,430][WARN ][logstash.filters.grok ][yhq_cisco_asav_azure]
ECS v8 support is a preview of the unreleased ECS v8, and uses the v1 patterns.
When Version 8 of the Elastic Common Schema becomes available, this plugin will
need to be updated
[2024-02-25T03:45:38,440][WARN ][logstash.filters.grok ][cucm] ECS v8 support is
a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of the
Elastic Common Schema becomes available, this plugin will need to be updated
[2024-02-25T03:45:38,492][INFO ][logstash.outputs.elasticsearch]
[yhq_cisco_asav_azure] Using a default mapping template
{:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:45:38,494][INFO ][logstash.outputs.elasticsearch][cucm] Using a
default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:45:38,522][INFO ][logstash.outputs.elasticsearch][zscaler] Using a
default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:45:38,531][WARN ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Restored connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:45:38,532][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Elasticsearch version determined (8.10.3)
{:es_version=>8}
[2024-02-25T03:45:38,533][WARN ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Detected a 6.x and above cluster: the `type` event field
won't be used to determine the document _type {:es_version=>8}
[2024-02-25T03:45:38,602][WARN ][logstash.filters.geoip ][azure_waf_access] ECS
expect `target` value `geoip` in ["client", "destination", "host", "observer",
"server", "source"]
[2024-02-25T03:45:38,622][INFO ][logstash.outputs.elasticsearch][azure_waf_access]
Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:45:38,692][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Not eligible for data streams because config contains
one or more settings that are not compatible with data streams:
{"ilm_enabled"=>"true", "ilm_rollover_alias"=>"yokogawa-yhq-factorypaloalto",
"ilm_policy"=>"yokogawa-ilm-policy", "ilm_pattern"=>"000001"}
[2024-02-25T03:45:38,693][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Data streams auto configuration (`data_stream => auto`
or unset) resolved to `false`
[2024-02-25T03:45:38,753][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Using a default mapping template
{:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:45:38,771][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] New Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:45:38,792][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Elasticsearch pool URLs updated
{:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:45:38,985][WARN ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Restored connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:45:38,995][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Elasticsearch version determined (8.10.3)
{:es_version=>8}
[2024-02-25T03:45:39,004][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Using a default mapping template
{:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:45:39,042][WARN ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Detected a 6.x and above cluster: the `type` event field
won't be used to determine the document _type {:es_version=>8}
[2024-02-25T03:45:39,133][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Not eligible for data streams because config contains
one or more settings that are not compatible with data streams:
{"ilm_enabled"=>"true", "ilm_rollover_alias"=>"yokogawa-yhq-paloalto",
"ilm_policy"=>"yokogawa-ilm-policy", "ilm_pattern"=>"000001"}
[2024-02-25T03:45:39,134][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Data streams auto configuration (`data_stream => auto`
or unset) resolved to `false`
[2024-02-25T03:45:39,185][INFO ][logstash.outputs.elasticsearch]
[PA_FactoryPA_ThreatIntel] Using a default mapping template
{:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:45:39,447][WARN ][logstash.javapipeline ]
[PA_FactoryPA_ThreatIntel] 'pipeline.ordered' is enabled and is likely less
efficient, consider disabling if preserving event order is not necessary
[2024-02-25T03:45:39,709][WARN ][logstash.filters.grok ][cucm] ECS v8 support is
a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of the
Elastic Common Schema becomes available, this plugin will need to be updated
[2024-02-25T03:45:39,747][INFO ][logstash.filters.csv ][zscaler] ECS
compatibility is enabled but `target` option was not specified. This may cause
fields to be set at the top-level of the event where they are likely to clash with
the Elastic Common Schema. It is recommended to set the `target` option to avoid
potential schema conflicts (if your data is ECS compliant or non-conflicting, feel
free to ignore this message)
[2024-02-25T03:45:39,797][WARN ][logstash.filters.grok ][zscaler] ECS v8 support
is a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of
the Elastic Common Schema becomes available, this plugin will need to be updated
[2024-02-25T03:45:39,890][WARN ][logstash.javapipeline ][cucm]
'pipeline.ordered' is enabled and is likely less efficient, consider disabling if
preserving event order is not necessary
[2024-02-25T03:45:40,139][INFO ][logstash.javapipeline ][cucm] Starting pipeline
{:pipeline_id=>"cucm", "pipeline.workers"=>1, "pipeline.batch.size"=>125,
"pipeline.batch.delay"=>50, "pipeline.max_inflight"=>125,
"pipeline.sources"=>["/etc/logstash/conf.d/cucm.cfg"], :thread=>"#<Thread:0xa06bfde
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:45:40,148][INFO ][logstash.javapipeline ]
[PA_FactoryPA_ThreatIntel] Starting pipeline
{:pipeline_id=>"PA_FactoryPA_ThreatIntel", "pipeline.workers"=>1,
"pipeline.batch.size"=>1000, "pipeline.batch.delay"=>50,
"pipeline.max_inflight"=>1000,
"pipeline.sources"=>["/etc/logstash/conf.d/yhq_azurePA_factoryPA_threatintel.conf"]
, :thread=>"#<Thread:0x489cdfd7
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:45:40,158][INFO ][logstash.javapipeline ][zscaler] Starting
pipeline {:pipeline_id=>"zscaler", "pipeline.workers"=>4,
"pipeline.batch.size"=>125, "pipeline.batch.delay"=>50,
"pipeline.max_inflight"=>500,
"pipeline.sources"=>["/etc/logstash/conf.d/zscaler.conf"], :thread=>"#<Thread:0x3e6
292d6 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:45:40,661][INFO ][logstash.javapipeline ] Pipeline `ad` is
configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this
pipeline will default to `ecs_compatibility => v8` unless explicitly configured
otherwise.
[2024-02-25T03:45:41,126][INFO ][logstash.outputs.elasticsearch][ad] New
Elasticsearch output
{:class=>"LogStash::Outputs::ElasticSearch",
:hosts=>["https://32e3ba65a2fc4416939d56e649963b5a.ap-northeast-
1.aws.found.io:9243"]}
[2024-02-25T03:45:41,154][INFO ][logstash.outputs.elasticsearch][ad] Elasticsearch
pool URLs updated {:changes=>{:removed=>[],
:added=>[https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/]}}
[2024-02-25T03:45:41,301][WARN ][logstash.outputs.elasticsearch][ad] Restored
connection to ES instance
{:url=>"https://logstash_internal:xxxxxx@32e3ba65a2fc4416939d56e649963b5a.ap-
northeast-1.aws.found.io:9243/"}
[2024-02-25T03:45:41,301][INFO ][logstash.outputs.elasticsearch][ad] Elasticsearch
version determined (8.10.3) {:es_version=>8}
[2024-02-25T03:45:41,301][WARN ][logstash.outputs.elasticsearch][ad] Detected a 6.x
and above cluster: the `type` event field won't be used to determine the document
_type {:es_version=>8}
[2024-02-25T03:45:41,332][INFO ][logstash.outputs.elasticsearch][ad] Not eligible
for data streams because config contains one or more settings that are not
compatible with data streams: {"ilm_enabled"=>"true",
"ilm_rollover_alias"=>"yokogawa-yhq-ad", "ilm_policy"=>"yokogawa-ilm-policy",
"ilm_pattern"=>"000001"}
[2024-02-25T03:45:41,333][INFO ][logstash.outputs.elasticsearch][ad] Data streams
auto configuration (`data_stream => auto` or unset) resolved to `false`
[2024-02-25T03:45:41,447][INFO ][logstash.javapipeline ][ad] Starting pipeline
{:pipeline_id=>"ad", "pipeline.workers"=>2, "pipeline.batch.size"=>125,
"pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250,
"pipeline.sources"=>["/etc/logstash/conf.d/ad.conf"], :thread=>"#<Thread:0x7e786f5b
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:45:41,451][INFO ][logstash.outputs.elasticsearch][ad] Using a
default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2024-02-25T03:45:42,592][WARN ][logstash.filters.geoip ][yhq_cisco_asav_azure]
ECS expect `target` value `sourcelocation` in ["client", "destination", "host",
"observer", "server", "source"]
[2024-02-25T03:45:43,496][INFO ][logstash.filters.geoip.downloadmanager] new
database version detected? false
[2024-02-25T03:45:43,851][INFO ][logstash.javapipeline ]
[PA_FactoryPA_ThreatIntel] Pipeline Java execution initialization time
{"seconds"=>3.69}
[2024-02-25T03:45:44,111][INFO ][logstash.filters.geoip.databasemanager]
[azure_waf_access] By not manually configuring a database path with `database =>`,
you accepted and agreed MaxMind EULA. For more details please visit
https://www.maxmind.com/en/geolite2/eula
[2024-02-25T03:45:44,120][INFO ][logstash.filters.geoip.databasemanager]
[yhq_cisco_asav_azure] By not manually configuring a database path with `database
=>`, you accepted and agreed MaxMind EULA. For more details please visit
https://www.maxmind.com/en/geolite2/eula
[2024-02-25T03:45:44,121][INFO ][logstash.filters.geoip ][yhq_cisco_asav_azure]
Using geoip database
{:path=>"/var/lib/logstash/plugins/filters/geoip/1708831720/GeoLite2-City.mmdb"}
[2024-02-25T03:45:44,130][INFO ][logstash.filters.geoip ][azure_waf_access] Using
geoip database
{:path=>"/var/lib/logstash/plugins/filters/geoip/1708831720/GeoLite2-City.mmdb"}
[2024-02-25T03:45:44,179][INFO ][logstash.javapipeline ][cucm] Pipeline Java
execution initialization time {"seconds"=>4.04}
[2024-02-25T03:45:44,201][WARN ][logstash.javapipeline ][azure_waf_access]
'pipeline.ordered' is enabled and is likely less efficient, consider disabling if
preserving event order is not necessary
[2024-02-25T03:45:44,219][WARN ][logstash.filters.grok ][yhq_cisco_asav_azure]
ECS v8 support is a preview of the unreleased ECS v8, and uses the v1 patterns.
When Version 8 of the Elastic Common Schema becomes available, this plugin will
need to be updated
[2024-02-25T03:45:44,244][INFO ][logstash.inputs.beats ]
[PA_FactoryPA_ThreatIntel] Starting input listener {:address=>"0.0.0.0:5045"}
[2024-02-25T03:45:44,271][INFO ][logstash.javapipeline ][azure_waf_access]
Starting pipeline {:pipeline_id=>"azure_waf_access", "pipeline.workers"=>1,
"pipeline.batch.size"=>125, "pipeline.batch.delay"=>50,
"pipeline.max_inflight"=>125, "pipeline.sources"=>["/etc/logstash/conf.d/yhq-
azurewaf-accesslog.conf"], :thread=>"#<Thread:0x6ac95e6
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:45:44,310][WARN ][logstash.filters.grok ][yhq_cisco_asav_azure]
ECS v8 support is a preview of the unreleased ECS v8, and uses the v1 patterns.
When Version 8 of the Elastic Common Schema becomes available, this plugin will
need to be updated
[2024-02-25T03:45:44,411][WARN ][logstash.javapipeline ][yhq_cisco_asav_azure]
'pipeline.ordered' is enabled and is likely less efficient, consider disabling if
preserving event order is not necessary
[2024-02-25T03:45:44,471][INFO ][logstash.javapipeline ][yhq_cisco_asav_azure]
Starting pipeline {:pipeline_id=>"yhq_cisco_asav_azure", "pipeline.workers"=>1,
"pipeline.batch.size"=>125, "pipeline.batch.delay"=>50,
"pipeline.max_inflight"=>125, "pipeline.sources"=>["/etc/logstash/conf.d/yhq-cisco-
asav-azure.conf"], :thread=>"#<Thread:0x709f9c0e /usr/share/logstash/logstash-
core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-25T03:45:44,482][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline Java execution initialization time {"seconds"=>0.21}
[2024-02-25T03:45:44,520][INFO ][logstash.javapipeline ]
[PA_FactoryPA_ThreatIntel] Pipeline started
{"pipeline.id"=>"PA_FactoryPA_ThreatIntel"}
[2024-02-25T03:45:45,463][INFO ][org.logstash.beats.Server]
[PA_FactoryPA_ThreatIntel]
[f5e6bf34d757c86b76a167505a44c62fa691eeb85f93256337577143342cc399] Starting server
on port: 5045
[2024-02-25T03:45:46,353][INFO ][logstash.javapipeline ][yhq_cisco_asav_azure]
Pipeline Java execution initialization time {"seconds"=>1.86}
[2024-02-25T03:45:46,458][INFO ][logstash.javapipeline ][azure_waf_access]
Pipeline started {"pipeline.id"=>"azure_waf_access"}
[2024-02-25T03:45:46,542][INFO ][logstash.javapipeline ][cucm] Pipeline started
{"pipeline.id"=>"cucm"}
[2024-02-25T03:45:46,755][INFO ][filewatch.observingtail ][cucm]
[18b2f5afa47f4c9ee480e623c9d3fceedbe2c1d6a9d25c910be9358dd86df178] START, creating
Discoverer, Watch with file and sincedb collections
[2024-02-25T03:45:46,775][INFO ][logstash.inputs.file ][yhq_cisco_asav_azure]
No sincedb_path set, generating one based on the "path" setting
{:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_07f533481b0ff948c45
82a820764a9fc", :path=>["/var/log/cisco-asa-azure/cisco-asa-azure.log"]}
[2024-02-25T03:45:46,786][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is initializing...
[2024-02-25T03:45:46,794][WARN ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] You have NOT
specified a `storage_connection_string` for insights-logs-
applicationgatewayaccesslog. This configuration is only supported for a single
Logstash instance.
[2024-02-25T03:45:46,914][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: New EventProcessorHost created.
[2024-02-25T03:45:46,921][INFO ][filewatch.observingtail ][yhq_cisco_asav_azure]
[4b3456af81567c6f95ff8f0d60d4af04db77885ad71681d4ca22588b83f44773] START, creating
Discoverer, Watch with file and sincedb collections
[2024-02-25T03:45:46,941][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
insights-logs-applicationgatewayaccesslog is initializing...
[2024-02-25T03:45:46,941][WARN ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] You have NOT
specified a `storage_connection_string` for insights-logs-
applicationgatewayaccesslog. This configuration is only supported for a single
Logstash instance.
[2024-02-25T03:45:46,942][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: New EventProcessorHost created.
[2024-02-25T03:45:46,995][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Configuring
Event Hub insights-logs-applicationgatewayaccesslog to read only new events.
[2024-02-25T03:45:47,017][INFO ][logstash.javapipeline ][yhq_cisco_asav_azure]
Pipeline started {"pipeline.id"=>"yhq_cisco_asav_azure"}
[2024-02-25T03:45:47,046][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Configuring
Event Hub insights-logs-applicationgatewayaccesslog to read only new events.
[2024-02-25T03:45:47,132][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: Starting event processing.
[2024-02-25T03:45:47,128][INFO ]
[com.microsoft.azure.eventprocessorhost.EventProcessorHost][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: Starting event processing.
[2024-02-25T03:45:47,568][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_209a84_1708832747301], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:45:47,627][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_209a84_1708832747301] reactor.onReactorInit
[2024-02-25T03:45:47,670][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_209a84_1708832747301]
[2024-02-25T03:45:47,672][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_209a84_1708832747301], errorCondition[null], errorDescription[null]
[2024-02-25T03:45:48,101][INFO ][logstash.javapipeline ][zscaler] Pipeline Java
execution initialization time {"seconds"=>7.94}
[2024-02-25T03:45:48,172][INFO ][logstash.inputs.file ][zscaler] No
sincedb_path set, generating one based on the "path" setting
{:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_35207214516fbd37101
67fc8347c876b", :path=>["/var/log/zscaler/zscaler2.log-*"]}
[2024-02-25T03:45:48,211][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_7526e8_1708832747309], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:45:48,231][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_7526e8_1708832747309] reactor.onReactorInit
[2024-02-25T03:45:48,232][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_7526e8_1708832747309]
[2024-02-25T03:45:48,232][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_7526e8_1708832747309], errorCondition[null], errorDescription[null]
[2024-02-25T03:45:48,284][INFO ][filewatch.observingread ][zscaler]
[338c3256cbc9a25a68e8953fdaee35f73f7a34c5e1b88b71d476e31b8559c3e1] START, creating
Discoverer, Watch with file and sincedb collections
[2024-02-25T03:45:48,373][INFO ][logstash.javapipeline ][zscaler] Pipeline
started {"pipeline.id"=>"zscaler"}
[2024-02-25T03:45:48,557][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_7526e8_1708832747309]
[2024-02-25T03:45:48,597][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_209a84_1708832747301]
[2024-02-25T03:45:49,339][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_209a84_1708832747301],
remoteContainer[f396fb987bcf4aba9827dccf291e33ba_G1]
[2024-02-25T03:45:49,340][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_7526e8_1708832747309],
remoteContainer[d20492e4ef734dafaa44790282e00270_G33]
[2024-02-25T03:45:49,391][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_7526e8_1708832747309], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:45:49,419][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_209a84_1708832747301], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:45:49,440][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_209a84_1708832747301], entityName[mgmt-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:45:49,449][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[mgmt], linkName[mgmt:sender], localTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:45:49,450][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[mgmt], linkName[mgmt:receiver],
localSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:49,450][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_7526e8_1708832747309], entityName[mgmt-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:45:49,451][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[mgmt], linkName[mgmt:sender], localTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:45:49,451][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[mgmt], linkName[mgmt:receiver],
localSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:49,459][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_209a84_1708832747301], entityName[mgmt-
session], sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:45:49,459][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[mgmt], linkName[mgmt:sender], remoteTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:45:49,460][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[mgmt], linkName[mgmt:receiver],
remoteSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:49,461][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_7526e8_1708832747309], entityName[mgmt-
session], sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:45:49,462][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[mgmt], linkName[mgmt:sender], remoteTarget[Target{address='$management',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:45:49,462][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[mgmt], linkName[mgmt:receiver],
remoteSource[Source{address='$management', durable=NONE, expiryPolicy=SESSION_END,
timeout=0, dynamic=false, dynamicNodeProperties=null, distributionMode=null,
filter=null, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:49,479][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_209a84_1708832747301],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:45:49,481][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_7526e8_1708832747309],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:45:49,529][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: Eventhub insights-logs-
applicationgatewayaccesslog count of partitions: 4
[2024-02-25T03:45:49,530][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: Eventhub insights-logs-
applicationgatewayaccesslog count of partitions: 4
[2024-02-25T03:45:49,531][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: Found partition with id: 0
[2024-02-25T03:45:49,531][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: Found partition with id: 1
[2024-02-25T03:45:49,531][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: Found partition with id: 2
[2024-02-25T03:45:49,530][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: Found partition with id: 0
[2024-02-25T03:45:49,531][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: Found partition with id: 1
[2024-02-25T03:45:49,531][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: Found partition with id: 2
[2024-02-25T03:45:49,531][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: Found partition with id: 3
[2024-02-25T03:45:49,531][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_f42da1_1708832747175]
[2024-02-25T03:45:49,531][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_7526e8_1708832747309]
[2024-02-25T03:45:49,531][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: Found partition with id: 3
[2024-02-25T03:45:49,542][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[EC_3077cb_1708832747170]
[2024-02-25T03:45:49,542][INFO ][com.microsoft.azure.eventhubs.impl.ClientEntity]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] close:
clientId[MF_209a84_1708832747301]
[2024-02-25T03:45:49,559][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_7526e8_1708832747309], errorCondition[null], errorDescription[null]
[2024-02-25T03:45:49,570][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalClose hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_209a84_1708832747301], errorCondition[null], errorDescription[null]
[2024-02-25T03:45:49,571][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,572][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,573][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,573][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[mgmt-session],
entityName[MF_209a84_1708832747301], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:45:49,582][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,582][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] closeSession for
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,590][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,591][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalClose connectionId[mgmt-session],
entityName[MF_7526e8_1708832747309], condition[Error{condition=null,
description='null', info=null}]
[2024-02-25T03:45:49,592][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,592][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,593][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,593][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,595][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,595][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:sender], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,595][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onLinkRemoteClose clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,595][INFO ]
[com.microsoft.azure.eventhubs.impl.BaseLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] processOnClose
clientName[mgmt], linkName[mgmt:receiver], errorCondition[null],
errorDescription[null]
[2024-02-25T03:45:49,597][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
registration complete. {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:45:49,603][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub
registration complete. {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:45:49,603][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub is
processing events... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:45:49,598][INFO ][logstash.inputs.azureeventhubs][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub is
processing events... {:event_hub_name=>"insights-logs-
applicationgatewayaccesslog"}
[2024-02-25T03:45:49,621][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 1: creating new pump
[2024-02-25T03:45:49,631][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 3: creating new pump
[2024-02-25T03:45:49,631][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_7526e8_1708832747309],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:45:49,632][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_7526e8_1708832747309], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[mgmtChannel closed]
[2024-02-25T03:45:49,632][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671], connectionId[MF_7526e8_1708832747309],
errorCondition[null], errorDescription[null]
[2024-02-25T03:45:49,632][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_7526e8_1708832747309], hostname[yazure-
eventhub-apg02.servicebus.windows.net], error[null]
[2024-02-25T03:45:49,635][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onClose complete clientId[MF_209a84_1708832747301],
session[mgmt-session], link[mgmt], endpoint[$management]
[2024-02-25T03:45:49,635][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_209a84_1708832747301], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[mgmtChannel closed]
[2024-02-25T03:45:49,635][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteClose hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671], connectionId[MF_209a84_1708832747301],
errorCondition[null], errorDescription[null]
[2024-02-25T03:45:49,635][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionError messagingFactory[MF_209a84_1708832747301], hostname[yazure-
eventhub-apg01.servicebus.windows.net], error[null]
[2024-02-25T03:45:49,660][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_209a84_1708832747301], error[n/a]
[2024-02-25T03:45:49,660][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_209a84_1708832747301], hostname[yazure-eventhub-
apg01.servicebus.windows.net:5671]
[2024-02-25T03:45:49,661][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_209a84_1708832747301], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:45:49,661][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_209a84_1708832747301], entityName[mgmt-session], condition[null],
description[null]
[2024-02-25T03:45:49,661][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_209a84_1708832747301], errorCondition[null], errorDescription[null]
[2024-02-25T03:45:49,662][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_209a84_1708832747301], hostName[yazure-eventhub-
apg01.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:45:49,672][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_7526e8_1708832747309], error[n/a]
[2024-02-25T03:45:49,691][INFO ]
[com.microsoft.azure.eventhubs.impl.CustomIOHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onTransportClosed name[MF_7526e8_1708832747309], hostname[yazure-eventhub-
apg02.servicebus.windows.net:5671]
[2024-02-25T03:45:49,691][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionUnbound hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_7526e8_1708832747309], state[CLOSED], remoteState[CLOSED]
[2024-02-25T03:45:49,691][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onSessionFinal
connectionId[MF_7526e8_1708832747309], entityName[mgmt-session], condition[null],
description[null]
[2024-02-25T03:45:49,692][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionFinal hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_7526e8_1708832747309], errorCondition[null], errorDescription[null]
[2024-02-25T03:45:49,692][WARN ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_7526e8_1708832747309], hostName[yazure-eventhub-
apg02.servicebus.windows.net], message[stopping the reactor because thread was
interrupted or the reactor has no more events to process.]
[2024-02-25T03:45:49,681][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 3: Creating and opening event processor
instance
[2024-02-25T03:45:49,680][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 1: Creating and opening event processor
instance
[2024-02-25T03:45:50,088][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 3 is opening.
[2024-02-25T03:45:50,089][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 3: Opening EH client
[2024-02-25T03:45:50,097][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 1 is opening.
[2024-02-25T03:45:50,097][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 1: Opening EH client
[2024-02-25T03:45:50,099][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_c8829b_1708832750098], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:45:50,100][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_c8829b_1708832750098] reactor.onReactorInit
[2024-02-25T03:45:50,100][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_c8829b_1708832750098]
[2024-02-25T03:45:50,100][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_c8829b_1708832750098], errorCondition[null], errorDescription[null]
[2024-02-25T03:45:50,101][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_c8829b_1708832750098]
[2024-02-25T03:45:50,117][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_10f0ba_1708832750116], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:45:50,117][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_10f0ba_1708832750116] reactor.onReactorInit
[2024-02-25T03:45:50,117][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_10f0ba_1708832750116]
[2024-02-25T03:45:50,117][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_10f0ba_1708832750116], errorCondition[null], errorDescription[null]
[2024-02-25T03:45:50,118][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_10f0ba_1708832750116]
[2024-02-25T03:45:50,336][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_c8829b_1708832750098],
remoteContainer[66f4176c304649fd8a4b153086681f80_G19]
[2024-02-25T03:45:50,340][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 1: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:45:50,340][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 1: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:45:50,360][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_10f0ba_1708832750116],
remoteContainer[758144b8331e45d3beac5d0b17adb168_G28]
[2024-02-25T03:45:50,360][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 3: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:45:50,360][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 3: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:45:50,385][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_69d10f_1708832750349_MF_c8829b_1708832750098-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
1], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:45:50,401][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_c8829b_1708832750098], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:45:50,402][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_c8829b_1708832750098], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:45:50,411][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_390223_1708832750361_MF_10f0ba_1708832750116-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
3], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:45:50,411][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_10f0ba_1708832750116], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:45:50,412][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_10f0ba_1708832750116], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:45:50,410][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:45:50,420][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:50,438][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_c8829b_1708832750098], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:45:50,439][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:45:50,440][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:50,457][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:45:50,458][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:50,477][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_c8829b_1708832750098],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:45:50,480][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_10f0ba_1708832750116], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:45:50,480][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:45:50,481][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:50,482][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_10f0ba_1708832750116],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:45:50,500][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_10f0ba_1708832750116], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:45:50,501][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_10f0ba_1708832750116], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:45:50,508][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_c8829b_1708832750098], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:45:50,546][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_c8829b_1708832750098], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:45:50,510][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_10f0ba_1708832750116], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:45:50,550][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:45:50,553][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_390223_1708832750361_MF_10f0ba_1708832750116-InternalReceiver],
linkName[LN_0be56d_1708832750552_168_G28], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:45:50,556][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_c8829b_1708832750098], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:45:50,566][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:45:50,566][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_69d10f_1708832750349_MF_c8829b_1708832750098-InternalReceiver],
linkName[LN_a38b3f_1708832750566_f80_G19], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:45:50,631][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_390223_1708832750361_MF_10f0ba_1708832750116-InternalReceiver],
linkName[LN_0be56d_1708832750552_168_G28], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/3',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@233d1e3
2}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:50,631][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_69d10f_1708832750349_MF_c8829b_1708832750098-InternalReceiver],
linkName[LN_a38b3f_1708832750566_f80_G19], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/1',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@7e1547b
1}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:45:50,631][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_69d10f_1708832750349_MF_c8829b_1708832750098-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/1], linkName[LN_a38b3f_1708832750566_f80_G19], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:45:50,632][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 1: EH client and receiver creation finished
[2024-02-25T03:45:50,650][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_390223_1708832750361_MF_10f0ba_1708832750116-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/3], linkName[LN_0be56d_1708832750552_168_G28], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:45:50,660][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 3: EH client and receiver creation finished
[2024-02-25T03:45:54,546][INFO ][logstash.javapipeline ][ad] Pipeline Java
execution initialization time {"seconds"=>13.1}
[2024-02-25T03:45:54,565][INFO ][logstash.inputs.beats ][ad] Starting input
listener {:address=>"0.0.0.0:5044"}
[2024-02-25T03:45:54,605][INFO ][org.logstash.beats.Server][ad]
[a94f5e467b1b04d12a972a2e5fcd4c64919fe6cae94cc957030d518a5fb59bcf] Starting server
on port: 5044
[2024-02-25T03:45:54,614][INFO ][logstash.javapipeline ][ad] Pipeline started
{"pipeline.id"=>"ad"}
[2024-02-25T03:45:54,858][INFO ][logstash.agent ] Pipelines running
{:count=>6, :running_pipelines=>[:cucm, :azure_waf_access, :yhq_cisco_asav_azure, :
PA_FactoryPA_ThreatIntel, :zscaler, :ad], :non_running_pipelines=>[]}
[2024-02-25T03:46:19,686][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 2: creating new pump
[2024-02-25T03:46:19,686][INFO ]
[com.microsoft.azure.eventprocessorhost.PumpManager][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 0: creating new pump
[2024-02-25T03:46:19,686][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 2: Creating and opening event processor
instance
[2024-02-25T03:46:19,688][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 0: Creating and opening event processor
instance
[2024-02-25T03:46:19,707][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 2 is opening.
[2024-02-25T03:46:19,708][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 2: Opening EH client
[2024-02-25T03:46:19,708][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_553f1a_1708832779708], hostName[yazure-eventhub-
apg01.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:46:19,717][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_553f1a_1708832779708] reactor.onReactorInit
[2024-02-25T03:46:19,717][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_553f1a_1708832779708]
[2024-02-25T03:46:19,717][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_553f1a_1708832779708], errorCondition[null], errorDescription[null]
[2024-02-25T03:46:19,726][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg01.servicebus.windows.net],
connectionId[MF_553f1a_1708832779708]
[2024-02-25T03:46:19,746][INFO ][logstash.inputs.azure.processor][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] Event Hub:
insights-logs-applicationgatewayaccesslog, Partition: 0 is opening.
[2024-02-25T03:46:19,747][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 0: Opening EH client
[2024-02-25T03:46:19,748][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_6fe963_1708832779748], hostName[yazure-eventhub-
apg02.servicebus.windows.net], info[starting reactor instance.]
[2024-02-25T03:46:19,756][INFO ][com.microsoft.azure.eventhubs.impl.ReactorHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
name[MF_6fe963_1708832779748] reactor.onReactorInit
[2024-02-25T03:46:19,756][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onConnectionInit
hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_6fe963_1708832779748]
[2024-02-25T03:46:19,757][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionLocalOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_6fe963_1708832779748], errorCondition[null], errorDescription[null]
[2024-02-25T03:46:19,758][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionBound hostname[yazure-eventhub-apg02.servicebus.windows.net],
connectionId[MF_6fe963_1708832779748]
[2024-02-25T03:46:20,028][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg01.servicebus.windows.net:5671],
connectionId[MF_553f1a_1708832779708],
remoteContainer[9903b5cd1588437bac195ce2a46989b1_G11]
[2024-02-25T03:46:20,029][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 2: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:46:20,029][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 2: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:46:20,030][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_aae1ec_1708832780029_MF_553f1a_1708832779708-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
2], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:46:20,038][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_553f1a_1708832779708], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:46:20,038][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_553f1a_1708832779708], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:46:20,040][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:46:20,047][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:46:20,108][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_553f1a_1708832779708], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:46:20,109][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:46:20,110][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:46:20,116][INFO ]
[com.microsoft.azure.eventhubs.impl.ConnectionHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onConnectionRemoteOpen hostname[yazure-eventhub-apg02.servicebus.windows.net:5671],
connectionId[MF_6fe963_1708832779748],
remoteContainer[ae6edd6b04964a91871b87029353311c_G35]
[2024-02-25T03:46:20,119][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionContext][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 0: Initial position provided:
offset[@latest], sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:46:20,119][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 0: Opening EH receiver with epoch 0 at
location offset[@latest], sequenceNumber[null], enqueuedTime[null],
inclusiveFlag[false]
[2024-02-25T03:46:20,120][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
clientId[PR_58c406_1708832780119_MF_6fe963_1708832779748-InternalReceiver],
path[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/
0], operationTimeout[PT1M], creating a receive link
[2024-02-25T03:46:20,120][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_6fe963_1708832779748], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:46:20,120][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_6fe963_1708832779748], entityName[cbs-session],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:46:20,128][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
senderName[cbs], linkName[cbs:sender], localTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:46:20,128][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[cbs], linkName[cbs:receiver], localSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:46:20,129][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_553f1a_1708832779708],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:46:20,140][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_553f1a_1708832779708], hostName[yazure-eventhub-
apg01.servicebus.windows.net], getting a session.
[2024-02-25T03:46:20,140][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_553f1a_1708832779708], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:46:20,148][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_553f1a_1708832779708], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:46:20,148][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:46:20,149][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_aae1ec_1708832780029_MF_553f1a_1708832779708-InternalReceiver],
linkName[LN_bcec6f_1708832780149_9b1_G11], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:46:20,150][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_6fe963_1708832779748], entityName[cbs-session],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:46:20,150][INFO ]
[com.microsoft.azure.eventhubs.impl.SendLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
senderName[cbs], linkName[cbs:sender], remoteTarget[Target{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, capabilities=null}]
[2024-02-25T03:46:20,150][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[cbs], linkName[cbs:receiver], remoteSource[Source{address='$cbs',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter=null,
defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:46:20,168][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_aae1ec_1708832780029_MF_553f1a_1708832779708-InternalReceiver],
linkName[LN_bcec6f_1708832780149_9b1_G11], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/2',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@b81687b
}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:46:20,169][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_aae1ec_1708832780029_MF_553f1a_1708832779708-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/2], linkName[LN_bcec6f_1708832780149_9b1_G11], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:46:20,169][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
3ebf730d-059e-4c9c-818e-f73adb129d55: 2: EH client and receiver creation finished
[2024-02-25T03:46:20,151][INFO ]
[com.microsoft.azure.eventhubs.impl.RequestResponseOpener][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
requestResponseChannel.onOpen complete clientId[MF_6fe963_1708832779748],
session[cbs-session], link[cbs], endpoint[$cbs]
[2024-02-25T03:46:20,239][INFO ]
[com.microsoft.azure.eventhubs.impl.MessagingFactory][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
messagingFactory[MF_6fe963_1708832779748], hostName[yazure-eventhub-
apg02.servicebus.windows.net], getting a session.
[2024-02-25T03:46:20,240][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionLocalOpen connectionId[MF_6fe963_1708832779748], entityName[insights-logs-
applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
condition[Error{condition=null, description='null', info=null}]
[2024-02-25T03:46:20,259][INFO ][com.microsoft.azure.eventhubs.impl.SessionHandler]
[azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
onSessionRemoteOpen connectionId[MF_6fe963_1708832779748], entityName[insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0],
sessionIncCapacity[0], sessionOutgoingWindow[2147483647]
[2024-02-25T03:46:20,259][INFO ]
[com.microsoft.azure.eventhubs.impl.PartitionReceiverImpl][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8]
receiverPath[RECEIVER IS NULL], action[createReceiveLink], offset[@latest],
sequenceNumber[null], enqueuedTime[null], inclusiveFlag[false]
[2024-02-25T03:46:20,259][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkLocalOpen
receiverName[PR_58c406_1708832780119_MF_6fe963_1708832779748-InternalReceiver],
linkName[LN_897d5e_1708832780259_11c_G35], localSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=UnknownDescribedType{descriptor=apache.org:selector-filter:string,
described=amqp.annotation.x-opt-offset > '@latest'}}, defaultOutcome=null,
outcomes=null, capabilities=null}]
[2024-02-25T03:46:20,279][INFO ]
[com.microsoft.azure.eventhubs.impl.ReceiveLinkHandler][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onLinkRemoteOpen
receiverName[PR_58c406_1708832780119_MF_6fe963_1708832779748-InternalReceiver],
linkName[LN_897d5e_1708832780259_11c_G35], remoteSource[Source{address='insights-
logs-applicationgatewayaccesslog/ConsumerGroups/$Default/Partitions/0',
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false,
dynamicNodeProperties=null, distributionMode=null, filter={apache.org:selector-
filter:string=org.apache.qpid.proton.codec.DecoderImpl$UnknownDescribedType@532cec5
d}, defaultOutcome=null, outcomes=null, capabilities=null}]
[2024-02-25T03:46:20,279][INFO ]
[com.microsoft.azure.eventhubs.impl.MessageReceiver][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] onOpenComplete -
clientId[PR_58c406_1708832780119_MF_6fe963_1708832779748-InternalReceiver],
receiverPath[insights-logs-applicationgatewayaccesslog/ConsumerGroups/$Default/
Partitions/0], linkName[LN_897d5e_1708832780259_11c_G35], updated-link-credit[300],
sentCredits[300]
[2024-02-25T03:46:20,280][INFO ]
[com.microsoft.azure.eventprocessorhost.PartitionPump][azure_waf_access]
[e921425eaa599df0a156e9171a302f77cf37b9f7ab3fe92fa0971b9f1f5cfac8] host logstash-
0d05a829-6920-4158-b25d-d335135b5e5b: 0: EH client and receiver creation finished