RTLD delivers log data in near real-time to a variety of destinations. It consists of two modules, which are:
Real-Time Log Delivery CDN
Delivers log data that describes requests submitted to our CDN service.
This feature must be purchased separately. For more information, please contact your CDN account manager.
Real-Time Log Delivery Rate Limiting
Delivers log data that describes requests for which Web Application Firewall (WAF) enforced a rate limit as defined through a rate rule.
RTLD Rate Limiting requires WAF Premier, WAF Standard, or WAF Essentials. If you currently have WAF Insights and would like to use this capability, please contact your CDN account manager to upgrade to the full version.
Real-Time Log Delivery WAF
Delivers log data that describes requests identified as threats by Web Application Firewall (WAF).
RTLD WAF requires WAF Premier, WAF Standard, or WAF Essentials. If you currently have WAF Insights and would like to use this capability, please contact your CDN account manager to upgrade to the full version.
RTLD WAF delivers log data for threats identified by WAF. It excludes log data for rate limited requests as determined by rate rules. Use RTLD Rate Limiting to deliver log data for rate limited requests.S
RTLD delivers compressed log data to one or more of the following destination(s):
Load the Real-Time Log Delivery CDN page from the main menu by navigating to More, finding Real-Time Log Delivery under Analytics, and then selecting CDN.
If this menu item is not present, then check the following items:
Load the Real-Time Log Delivery Rate Limiting page from the main menu by navigating to More, finding Real-Time Log Delivery under Analytics, and then selecting RL.
If this menu item is not present, then check the following items:
Load the Real-Time Log Delivery WAF page from the main menu by navigating to More, finding Real-Time Log Delivery under Analytics, and then selecting WAF.
If this menu item is not present, then check the following items:
This service has been optimized to provide log data in near real-time. A trade-off of optimizing log collection and delivery for speed is that it is not as accurate as the source data for account billing. Therefore, real-time log data should not be used for billing verification purposes.
Yes. However, a specific bucket policy must be applied to it.
Yes. However, you must authorize log data uploads via either a SAS token or an access key.
Yes. However, you must authorize our Google Cloud Storage user to upload log data.
Yes. Authorize log data delivery via the Authorization request header by passing a token or user account credentials. Alternatively, log data may be delivered to your web server(s) without authorization.
Yes. Log data delivery may be limited by:
Filtering the set of log data that will be delivered.
RTLD CDN: Filter log data by:
RTLD Rate Limiting: Filter log data by:
RTLD WAF: Filter log data by:
Downsampling logs to 0.1%, 1%, 25%, 50%, or 75% of the set of log entries that will be delivered.
Example:
Downsampling 1 million log entries to 1% results in 10,000 log entries.
Firewall configuration is only required when delivering log data to either your web server(s) or an instance of Splunk Enterprise hosted within your network. Set up your firewall to allow POST requests from the following CIDR network addresses:
152.195.20.0/24
192.16.61.0/24
198.7.21.0/24
If you plan to deliver log data via a custom port, then you should also configure your firewall to open that port for the above IP blocks.
If our service is unable to deliver log data, then we will store it for up to 3 days and deliver it when communication resumes. If we cannot deliver log data within 3 days, then it will be permanently deleted.
Yes. Each profile is:
This means that more than one profile may be configured to deliver the same set of log data.
No. RTLD CDN, RTLD Rate Limiting, and RTLD WAF use separate logging mechanisms.
Yes. RTLD compresses all log data using gzip.
Key information:
Yes. RTLD CDN logs traffic from both your Production and Staging environments.
RTLD CDN allows you to log data for custom fields through the following options:
Our CDN may take longer to propagate custom log fields as opposed to our standard log fields. Prior to propagation, RTLD CDN may return an empty value for custom log fields.
Although other settings take effect quickly, it may take up to 90 minutes before data for custom request/response headers and cookies is logged.
Example (JSON):
Example (CSV):