Skip to content
Event Correlation Engine for Fastly WAF Events ('event correlation engine' sounds a lot cooler than 'log smoosher')
Go Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Current Release

Circle CI

Go Report Card

Go Doc


Fastly WAF events come in two flavors. The first is a 'waf' event, which means something in an incoming request triggered an alarm. You'll generally see one of these for every rule that was violated.

Fastly also sends a 'req' event, which has information about the request. This will come out as soon as the request completes.

These two entry types will come in at different times, but must be correlated to truly make sense of what triggered the waf, and to really understand what should be done about it.

This Event Correlation Engine (ECE), is really just a syslog server that receives the log streams from Fastly, and holds them for a certain amount of time (the TTL) waiting for the rest of the entries for a given request to arrive. Once the TTL expires, whatever is in memory is passed on, and the memory is flushed.

The default TTL is 20 seconds.

Correlated logs are written to STDERR and can be redirected as desired.

NOTE: This service is under development


    go get


You can get help at any time by running:

fastly-waf-ece help

Run on a given address:

fastly-waf-ece -a

Run on a given address with a specific TTL:

fastly-waf-ece -a -t 30

Run in debug mode (dumps every log entry seen to STDOUT)

fastly-waf-ece -a -d
You can’t perform that action at this time.