diff --git a/packages/aws-cdk-lib/aws-logs/lib/transformer.ts b/packages/aws-cdk-lib/aws-logs/lib/transformer.ts index 561f39a355440..a6b429f0f905f 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/transformer.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/transformer.ts @@ -128,8 +128,20 @@ export enum OCSFVersion { /** * OCSF schema version 1.1. * @see https://schema.ocsf.io/1.1.0/ + * + * OCSF schema version 1.5 + * @see https://schema.ocsf.io/1.5.0/ */ V1_1 = 'V1.1', + V1_5 = 'V1.5', +} + +/** + * OCSF Mapping versions supported by transformers. + */ +export enum OCSFMappingVersion { + /** OCSF mapping version 1.5.0 */ + V1_5_0 = 'v1.5.0', } /** @@ -232,6 +244,11 @@ export interface ParseToOCSFProperty { * Version of OCSF schema to convert to. */ readonly ocsfVersion: OCSFVersion; + + /** + * The mapping version for OCSF v1.5 ParseToOCSF. + */ + readonly mappingVersion?: OCSFMappingVersion; } /** @@ -877,7 +894,7 @@ export class ParserProcessor implements IProcessor { } this.parseToOCSFOptions = { source: '@message', - ... props.parseToOCSFOptions, + ...props.parseToOCSFOptions, }; break; @@ -901,7 +918,16 @@ export class ParserProcessor implements IProcessor { case ParserProcessorType.GROK: return { grok: this.grokOptions }; case ParserProcessorType.OCSF: - return { parseToOcsf: this.parseToOCSFOptions }; + const ocsfConfig: any = { + source: this.parseToOCSFOptions?.source, + eventSource: this.parseToOCSFOptions?.eventSource, + ocsfVersion: this.parseToOCSFOptions?.ocsfVersion, + }; + // Add mappingVersion if defined + if (this.parseToOCSFOptions?.mappingVersion !== undefined) { + ocsfConfig.mappingVersion = this.parseToOCSFOptions.mappingVersion; + } + return { parseToOcsf: ocsfConfig }; default: throw new UnscopedValidationError(`Unsupported parser processor type: ${this.type}`); } diff --git a/packages/aws-cdk-lib/aws-logs/test/transformer.test.ts b/packages/aws-cdk-lib/aws-logs/test/transformer.test.ts index d0941c60e903d..10aada30518ee 100644 --- a/packages/aws-cdk-lib/aws-logs/test/transformer.test.ts +++ b/packages/aws-cdk-lib/aws-logs/test/transformer.test.ts @@ -1,6 +1,6 @@ import { Template } from '../../assertions'; import { Stack } from '../../core'; -import { LogGroup, Transformer, ParserProcessor, JsonMutatorProcessor, VendedLogParser, StringMutatorProcessor, DataConverterProcessor, ParserProcessorType, JsonMutatorType, StringMutatorType, DelimiterCharacter, DataConverterType, TypeConverterType, QuoteCharacter, VendedLogType, OCSFSourceType, OCSFVersion } from '../lib'; +import { LogGroup, Transformer, ParserProcessor, JsonMutatorProcessor, VendedLogParser, StringMutatorProcessor, DataConverterProcessor, ParserProcessorType, JsonMutatorType, StringMutatorType, DelimiterCharacter, DataConverterType, TypeConverterType, QuoteCharacter, VendedLogType, OCSFSourceType, OCSFVersion, OCSFMappingVersion } from '../lib'; describe('transformer', () => { // Parser Processor tests @@ -289,6 +289,42 @@ describe('transformer', () => { }); }); + test('create a OCSF v1.5 parser transformer against a log group', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const logGroup = new LogGroup(stack, 'aws_cdk_test_log_group'); + + const ocsfParser = new ParserProcessor({ + type: ParserProcessorType.OCSF, + parseToOCSFOptions: { + eventSource: OCSFSourceType.VPC_FLOW, + ocsfVersion: OCSFVersion.V1_5, + mappingVersion: OCSFMappingVersion.V1_5_0, + }, + }); + + new Transformer(stack, 'Transformer', { + transformerName: 'MyTransformer', + logGroup: logGroup, + transformerConfig: [ocsfParser], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Logs::Transformer', { + LogGroupIdentifier: { Ref: 'awscdktestloggroup30AE39AB' }, + TransformerConfig: [{ + ParseToOCSF: { + Source: '@message', + EventSource: 'VPCFlow', + OcsfVersion: 'V1.5', + MappingVersion: 'v1.5.0', + }, + }], + }); + }); + // Json Mutator tests test('create a Add Key transformer against a log group', () => { // GIVEN