- English
- 日本語
Log streaming: Coralogix
Last updated 2024-07-03
Fastly's Real-Time Log Streaming feature can send log files to Coralogix. Coralogix provides an analytics platform that allows you to detect abnormal behavior via dynamic alerts, ratio alerts, flow anomaly detection, and threat discovery.
NOTE
Fastly does not provide direct support for third-party services. Read Fastly's Terms of Service for more information.
Prerequisites
If you don't already have a Coralogix account, you'll need to register for one by following the signup instructions on the Coralogix website. Once you've signed up, navigate to the Send Your Logs area in the Settings section of your Coralogix dashboard and make note of your unique private key. Coralogix uses this to associate data you send them with your account. You'll need it when you set up your endpoint with Fastly.
TIP
Consider reading Coralogix's documentation on integrating with Fastly.
Adding Coralogix as a logging endpoint
Follow these instructions to add Coralogix as a logging endpoint:
- Deliver services
- Compute services
- Review the information in our guide to setting up remote log streaming.
- In the HTTPS area, click Create endpoint.
- Fill out the Create an HTTPS endpoint fields as follows:
- In the Name field, enter a human-readable name for the endpoint.
- In the Placement area, select where the logging call should be placed in the generated VCL. Valid values are Format Version Default, waf_debug (waf_debug_log), and None. Read our guide on changing log placement for more information.
- In the Log format field, replace the placeholder log format and make the appropriate changes as shown in our log format and recommendations section below.
- In the URL field, enter the Coralogix REST API Singles Endpoint for your Coralogix Domain. For example, you could use
https://ingress.coralogix.us/logs/v1/singlesfor thecoralogix.usdomain. - In the Maximum logs field, leave the default value of
0. - In the Maximum bytes field, enter
2000000.
- Click Advanced options and fill out the fields as follows:
- In the Content type field, enter
application/json. - In the Custom header name field, enter
Authorization. - In the Custom header value field, enter
Bearer <your Coralogix private key>. - From the Method controls, select POST.
- From the JSON log entry format controls, select Array of JSON.
- Leave the Select a log line format controls set to the defaults.
- Leave the remaining fields blank.
- In the Content type field, enter
- Click Create to create the new logging endpoint.
- Click Activate to deploy your configuration changes.
NOTE
For Coralogix, you do not need to configure anything to satisfy the HTTPS Proof of domain ownership requirement, and you can safely ignore any warning about it.
Log format and field setting recommendations
Use the following log format:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990{ "timestamp":%{time.start.msec}V, "applicationName":"fastly", "subsystemName":"%{req.service_id}V", "severity": 3, "json": { "time": { "start":"%{begin:%Y-%m-%dT%H:%M:%S%Z}t", "end":"%{end:%Y-%m-%dT%H:%M:%S%Z}t", "elapsed":%D }, "cdn_server": { "ip_ipaddr":"%A", "code":"%{server.datacenter}V", "hostname":"%{server.hostname}V", "region_code":"%{server.region}V", "response_state":"%{fastly_info.state}V", "is_h2":%{if(fastly_info.is_h2, "true", "false")}V, "is_h2_push":%{if(fastly_info.h2.is_push, "true", "false")}V, "h2_stream_id":"%{fastly_info.h2.stream_id}V" }, "client": { "city_name":"%{client.geo.city.utf8}V", "country_code":"%{client.geo.country_code}V", "country_name":"%{client.geo.country_name}V", "continent_code":"%{client.geo.continent_code}V", "region":"%{client.geo.region}V", "ip_ipaddr":"%h", "name":"%{client.as.name}V", "number":"%{client.as.number}V", "connection_speed":"%{client.geo.conn_speed}V", "location_geopoint": { "lat":%{client.geo.latitude}V, "lon":%{client.geo.longitude}V } }, "response": { "status":%>s, "content_type":"%{Content-Type}o", "age":"%{Age}o", "cache_control":"%{Cache-Control}o", "expires":"%{Expires}o", "last_modified":"%{Last-Modified}o", "tsv":"%{TSV}o", "header_size":%{resp.header_bytes_written}V, "body_size":%B }, "request": { "host":"%{req.http.host}V", "is_ipv6":%{if(req.is_ipv6, "true", "false")}V, "backend":"%{req.backend}V", "service_id":"%{req.service_id}V", "url":"%{cstr_escape(req.url)}V", "url_ext":"%{req.url.ext}V", "header_size":%{req.header_bytes_read}V, "body_size":%{req.body_bytes_read}V, "method":"%m", "protocol":"%H", "referer":"%{Referer}i", "user_agent":"%{User-Agent}i", "accept_content":"%{Accept}i", "accept_language":"%{Accept-Language}i", "accept_encoding":"%{Accept-Encoding}i", "accept_charset":"%{Accept-Charset}i", "connection":"%{Connection}i", "dnt":"%{DNT}i", "forwarded":"%{Forwarded}i", "via":"%{Via}i", "cache_control":"%{Cache-Control}i", "x_requested_with":"%{X-Requested-With}i", "x_att_device_id":"%{X-ATT-Device-Id}i", "x_forwarded_for":"%{X-Forwarded-For}i" }, "socket": { "cwnd":%{client.socket.cwnd}V, "pace":%{client.socket.pace}V, "nexthop":"%{client.socket.nexthop}V", "tcpi_rcv_mss":%{client.socket.tcpi_rcv_mss}V, "tcpi_snd_mss":%{client.socket.tcpi_snd_mss}V, "tcpi_rtt":%{client.socket.tcpi_rtt}V, "tcpi_rttvar":%{client.socket.tcpi_rttvar}V, "tcpi_rcv_rtt":%{client.socket.tcpi_rcv_rtt}V, "tcpi_rcv_space":%{client.socket.tcpi_rcv_space}V, "tcpi_last_data_sent":%{client.socket.tcpi_last_data_sent}V, "tcpi_total_retrans":%{client.socket.tcpi_total_retrans}V, "tcpi_delta_retrans":%{client.socket.tcpi_delta_retrans}V, "ploss":%{client.socket.ploss}V } }}The first five fields of the recommended format are required:
timestamp: Leave the format of this field unchanged.applicationName: Enter the name of the application in this field.subsystemName: Enter the name of the subsystem in this field. This is used to separate components. We usereq.service_idin the example, which isn't particularly human readable. Use whatever subsystem name makes sense that helps you identify the subsystem.severity: Specify the severity and apply it to all logs using the following choices: 1 (debug), 2 (verbose), 3 (info), 4 (warning), 5 (error), 6 (critical). This can be changed later using an extract rule as described below.json (object): Add or remove fields as necessary. Static fields can be added. Nested JSON formats are supported including any fields described in the Fastly VCL reference.Specifying a nested
response.statusfield is a useful way to identify the status for servicing the request. Using the Coralogix parsing rules, you can set a JSON Extract rule to use the status code value from the log to populate the severity field in the Coralogix interface. Specifically, you can automatically map an HTTP status code to a severity value. For example, status code2xxwill set the Coralogix severity as “INFO” and status code4xxwill set Coralogix severity as “ERROR”.In the Coralogix web interface, it will look like this:
Configuring Coralogix dashboards and alerting
Coralogix provides tutorials for integrating their service with Fastly via dashboards and alerting. This includes examples of data dashboards created using Fastly data, including one for a general service overview, a visitor summary, and quality of service.
Their tutorials also describe how to set up user-defined alerts for situations like no logs being received from Fastly, outages at your origin, elevated error ratios and cache misses, unusual or suspicious requests of various types, as well as potential website defacement attempts.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
