How to decrypt "encrypted_matched_data" of Firewall event log in splunk?

hello. everyone.
I am trying to collect Cloudflare Firewall Event Log with Splunk.

If you look at the Firewall Event Log, the “encrypted_matched_data” Field item is encrypted.

(I know decryption using “matched-data-cli”)

I am curious how to decrypt all the numerous firewall event logs.

Any examples of efficient decryption using “matched-data-cli” in Splunk?

How did you design it?

Let me throw THIS in here:

To decrypt an encrypted matched data blob:

$ cat private_key.txt
uBS5eBttHrqkdY41kbZPdvYnNz8Vj0TvKIUpjB1y/GA=
$ cat matched_data.txt
AzTY6FHajXYXuDMUte82wrd+1n5CEHPoydYiyd3FMg5IEQAAAAAAAAA0lOhGXBclw8pWU5jbbYuepSIJN5JohTtZekLliJBlVWk=
$ matched-data-cli decrypt -k private_key.txt matched_data.txt
test matched data

For how to do it in Splunk specifically, please ask in the Splunk community, or the Splunk support directly as not related to Cloudflare.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.