#cloudfront.conf
input {
  s3 {
#Enter S3 bucket name that has the CloudFront access logs. You can copy it from CloudFormation stack output "CFLogBucket"   
   bucket => "<S3 BUCKET CFLogBucket>" 
 #No change needed for "prefix"   
    prefix => ""
    #Point "region" to your AWS Region.
	region => "<AWS REGION YOU CREATED YOUR STACK IN>"  
  }
}


filter {
  grok {
    match => { "message" => "%{DATE_EU:date}\t%{TIME:time}\t%{GREEDYDATA:x_edge_location}\t(?:%{NUMBER:sc_bytes:int}|-)\t%{IPORHOST:c_ip}\t%{WORD:cs_method}\t%{HOSTNAME:cs_host}\t%{NOTSPACE:cs_uri_stem}\t%{NUMBER:sc_status:int}\t%{GREEDYDATA:referrer}\t%{GREEDYDATA:User_Agent}\t%{GREEDYDATA:cs-uri-query}\t%{GREEDYDATA:cookies}\t%{WORD:x_edge_result_type}\t%{NOTSPACE:x_edge_request_id}\t%{HOSTNAME:x_host_header}\t%{URIPROTO:cs_protocol}\t%{INT:cs_bytes:int}\t%{NUMBER:time_taken:float}\t%{GREEDYDATA:x_forwarded_for}\t%{GREEDYDATA:ssl_protocol}\t%{GREEDYDATA:ssl_cipher}\t%{GREEDYDATA:x_edge_response_result_type}\t%{GREEDYDATA:cs-protocol-version}\t%{GREEDYDATA:fle-status}\t%{GREEDYDATA:fle-encrypted-fields}" }
  }

  mutate {
    add_field => [ "listener_timestamp", "%{date} %{time}" ]
  }

  date {
    match => [ "listener_timestamp", "yy-MM-dd HH:mm:ss" ]
    target => "@timestamp"
  }

  geoip {
    source => "c_ip"
  }

  useragent {
    source => "User_Agent"
    target => "useragent"
  }

  mutate {
    remove_field => ["date", "time", "listener_timestamp", "cloudfront_version", "message", "cloudfront_fields", "User_Agent"]
  }
}

output {
  amazon_es {
  #Enter Elasticsearch domain name WITHOUT https://. You can copy the Elasticsearch domain from CloudFormation stach output "ESDomainEndpoint"
    hosts => ["<Elasticsearch Domain>"] 
	#Point "region" to AWS Region you have created the CloudFormation stack in
    region => "<AWS REGION YOU CREATED YOUR STACK IN>" 
    index => "cloudfront-logs-%{+YYYY.MM.dd}"
  }
}