I’ve rather new to CloudFlare. I’m working as a SIEM Engineer has recently came across the opportunity to work with CloudFlare LogPush.
My client had recently pushed the CloudFlare logs to S3 buckets, and from the S3 buckets, the SIEM will read and normalize the logs.
Client had 4 domains, and all 4 domains has been configured to LogPush to this S3 buckets. Out of 4 domains, one of the domains logs format is different from other 3. Due to this difference, the SIEM customer parser unable to recognize this logs format and failed to normalize the domain’s log.
The differences are as the screenshot shown:
As above shown, the main differences is the log field is not sorted in alphabet order.
I’ve check with the client, they mentioned that when enabling the LogPush, there’s no option to ensure sorting is inplace.
So the ask: Is there any option in LogPush that ensure all the field is sorted in alphabet order?