Add support for iis 7.5 log with different format of destination/sour…

…ce address (#11256) * Add support for iis 7.5 log with different destination/source address * update changelog * Add test with IPv6 ip address
elastic · Mar 16, 2019 · e5ffcd6 · e5ffcd6
1 parent 6b915a5
commit e5ffcd6
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -170,6 +170,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add on_failure handler for Zeek ingest pipelines. Fix one field name error for notice and add an additional test 
  case. {issue}11004[11004] {pull}11105[11105]
 - Change URLPATH grok pattern to support brackets. {issue}11135[11135] {pull}11252[11252]
+- Add support for iis log with different address format. {issue}11255[11255] {pull}11256[11256]
 
 *Heartbeat*
 

diff --git a/filebeat/module/iis/access/ingest/default.json b/filebeat/module/iis/access/ingest/default.json
@@ -7,7 +7,8 @@
  "%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATHWITHBRACKET:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NOTSPACE:http.request.referrer} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long}",
  "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:temp.duration:long}",
  "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{NOTSPACE:iis.access.server_name} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} HTTP/%{NUMBER:http.version} %{NOTSPACE:user_agent.original} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:temp.duration:long}",
- "%{TIMESTAMP_ISO8601:iis.access.time} \\[%{IPORHOST:destination.address}\\]\\(http://%{IPORHOST:destination.address}\\) %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} \\[%{IPORHOST:source.address}\\]\\(http://%{IPORHOST:source.address}\\) %{NOTSPACE:user_agent.original} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long}"
+ "%{TIMESTAMP_ISO8601:iis.access.time} \\[%{IPORHOST:destination.address}\\]\\(http://%{IPORHOST:destination.address}\\) %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} \\[%{IPORHOST:source.address}\\]\\(http://%{IPORHOST:source.address}\\) %{NOTSPACE:user_agent.original} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long}",
+ "%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long}"
  ],
  "pattern_definitions": {
  "URIPATHWITHBRACKET": "(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\\-\\[\\]]*)+"

diff --git a/filebeat/module/iis/access/test/test-iis-7.5.log b/filebeat/module/iis/access/test/test-iis-7.5.log
@@ -3,3 +3,6 @@
 #Date: 2018-08-28 18:24:25
 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
 2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792
+2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15
+2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15
+2019-03-06 18:43:17 2001:cdba:0000:0000:0000:0000:3257:9652 GET /health-monitoring - 80 - 2001:cdba:0000:0000:0000:0000:3257:9652 - 200 0 0 15
diff --git a/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json b/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json
@@ -26,5 +26,83 @@
  "user_agent.original": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR[ 2.0.50727](tel: 2050727); .NET CLR 3.0.30729)",
  "user_agent.os.name": "Windows 8.1",
  "user_agent.version": "7.0"
+ },
+ {
+ "@timestamp": "2019-03-06T18:43:17.000Z",
+ "destination.address": "10.0.140.107",
+ "destination.ip": "10.0.140.107",
+ "destination.port": 80,
+ "ecs.version": "1.0.0",
+ "event.dataset": "iis.access",
+ "event.duration": 15000000,
+ "event.module": "iis",
+ "fileset.name": "access",
+ "http.request.method": "GET",
+ "http.response.status_code": 200,
+ "iis.access.sub_status": 0,
+ "iis.access.win32_status": 0,
+ "input.type": "log",
+ "log.offset": 532,
+ "service.type": "iis",
+ "source.address": "10.0.140.2",
+ "source.ip": "10.0.140.2",
+ "url.path": "/health-monitoring",
+ "url.query": "-",
+ "user.name": "-",
+ "user_agent.device.name": "Other",
+ "user_agent.name": "Other",
+ "user_agent.original": "-"
+ },
+ {
+ "@timestamp": "2019-03-06T18:43:17.000Z",
+ "destination.address": "10.0.140.107",
+ "destination.ip": "10.0.140.107",
+ "destination.port": 80,
+ "ecs.version": "1.0.0",
+ "event.dataset": "iis.access",
+ "event.duration": 15000000,
+ "event.module": "iis",
+ "fileset.name": "access",
+ "http.request.method": "GET",
+ "http.response.status_code": 200,
+ "iis.access.sub_status": 0,
+ "iis.access.win32_status": 0,
+ "input.type": "log",
+ "log.offset": 619,
+ "service.type": "iis",
+ "source.address": "10.0.140.2",
+ "source.ip": "10.0.140.2",
+ "url.path": "/health-monitoring",
+ "url.query": "-",
+ "user.name": "-",
+ "user_agent.device.name": "Other",
+ "user_agent.name": "Other",
+ "user_agent.original": "-"
+ },
+ {
+ "@timestamp": "2019-03-06T18:43:17.000Z",
+ "destination.address": "2001:cdba:0000:0000:0000:0000:3257:9652",
+ "destination.ip": "2001:cdba:0000:0000:0000:0000:3257:9652",
+ "destination.port": 80,
+ "ecs.version": "1.0.0",
+ "event.dataset": "iis.access",
+ "event.duration": 15000000,
+ "event.module": "iis",
+ "fileset.name": "access",
+ "http.request.method": "GET",
+ "http.response.status_code": 200,
+ "iis.access.sub_status": 0,
+ "iis.access.win32_status": 0,
+ "input.type": "log",
+ "log.offset": 706,
+ "service.type": "iis",
+ "source.address": "2001:cdba:0000:0000:0000:0000:3257:9652",
+ "source.ip": "2001:cdba:0000:0000:0000:0000:3257:9652",
+ "url.path": "/health-monitoring",
+ "url.query": "-",
+ "user.name": "-",
+ "user_agent.device.name": "Other",
+ "user_agent.name": "Other",
+ "user_agent.original": "-"
  }
 ]