AEMCS CDN Logs not recognized by Elastic Dashboard tool

Hi @viavu,

So it sounds like you did everything right — set up the cdn.yaml traffic filter rules, ran the pipeline, triggered some simulated traffic with Vegeta — and the logs did get generated, but then... boom the WAF Dashboard in Elastic throws that warning about aem_env_name.keyword not being found, and nothing shows up. Super frustrating, especially after all that setup.

There might be a couple of things going on here, and I have a few ideas that might help:

1. Missing Fields in CDN Logs from Development Environment

In AEMaaCS, CDN logs for development environments may not include all metadata fields (like aem_env_name) which are present in production/stage logs. This is by design and has been observed often.

Solution:

Update your Kibana data view and Elastic dashboard saved objects to remove the dependency on aem_env_name.keyword.

You can do this by:

• Going to Kibana → Stack Management → Index Patterns (or Data Views).

• Open aem-cdn-logs.

• Check if aem_env_name or aem_env_name.keyword exists.

  • If not, that's your problem.

• Modify the dashboard filters or visualizations to not depend on this field.

Alternatively:

• Add a scripted field to simulate aem_env_name for local/dev logs if needed for dashboard rendering.

2. Mismatch in Log Format

You noticed a mismatch in expected vs actual log fields. Development CDN logs may be in a simplified or non-standard format (e.g., missing aem_env_name, geo.country, rule_id, etc.).

Solution:

Manually compare:

• A sample production/staging log vs your development log (line by line).

• Adjust your dashboard visualizations or log parsing rules to accommodate the dev format.

You might also want to ingest the logs with a custom log pipeline (like Logstash/Beats) and enrich them.

3. cdns.yaml Rules Do Not Affect Logging Format

Your custom cdn.yaml WAF/traffic rules are not responsible for changing the log format — they only influence filtering/response behavior. The log schema is handled upstream by Adobe's CDN config and the environment type.

4. Using Workaround for Local Testing

If you want to test the WAF dashboard flow reliably, Adobe suggests:

• Use Stage environment if possible (they have richer logs).

• Or, inject missing fields temporarily (during log ingestion or via script).

• Use custom dashboards made for Development logs only (filtered subset of Elastic objects).

Optional: Contact Adobe Support

If this is blocking or the dashboard is managed by Adobe:

• Raise a DayCare ticket and share:

  • Sample log lines

  • Screenshot of dashboard error

  • Version of Elastic/Kibana

  • Your custom cdn.yaml

Hope that helps!

Regards,
Santosh