Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Add ECS tls & categorization fields to apache module #16121

Merged
merged 4 commits into from
Feb 7, 2020
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add dashboard for AWS ELB fileset. {pull}15804[15804]
- Add dashboard for AWS vpcflow fileset. {pull}16007[16007]
- Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936]
- Add ECS tls and categorizaiton fields to apache module. {issue}16032[16032] {pull}16121[16121]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Add ECS tls and categorizaiton fields to apache module. {issue}16032[16032] {pull}16121[16121]
- Add ECS tls and categorization fields to apache module. {issue}16032[16032] {pull}16121[16121]


*Heartbeat*

Expand Down
100 changes: 0 additions & 100 deletions filebeat/module/apache/access/ingest/default.json

This file was deleted.

103 changes: 103 additions & 0 deletions filebeat/module/apache/access/ingest/pipeline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
description: "Pipeline for parsing Apache HTTP Server access logs. Requires the geoip and user_agent plugins."

processors:
- grok:
field: message
patterns:
- '%{IPORHOST:destination.domain} %{IPORHOST:source.ip} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?"
%{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)(
"%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?'
- '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?"
%{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)(
"%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?'
- '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
"-" %{NUMBER:http.response.status_code:long} -'
- \[%{HTTPDATE:apache.access.time}\] %{IPORHOST:source.address} %{DATA:apache.access.ssl.protocol}
%{DATA:apache.access.ssl.cipher} "%{WORD:http.request.method} %{DATA:url.original}
HTTP/%{NUMBER:http.version}" (-|%{NUMBER:http.response.body.bytes:long})
ignore_missing: true
- remove:
field: message
- set:
field: event.kind
value: event
- set:
field: event.category
value: web
- set:
field: event.outcome
value: success
if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400"
- set:
field: event.outcome
value: failure
if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code > 399"
- lowercase:
field: http.request.method
ignore_missing: true
- grok:
field: source.address
ignore_missing: true
patterns:
- ^(%{IP:source.ip}|%{HOSTNAME:source.domain})$
- rename:
field: '@timestamp'
target_field: event.created
- date:
field: apache.access.time
target_field: '@timestamp'
formats:
- dd/MMM/yyyy:H:m:s Z
ignore_failure: true
- remove:
field: apache.access.time
ignore_failure: true
- user_agent:
field: user_agent.original
ignore_failure: true
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- set:
field: tls.cipher
value: '{{apache.access.ssl.cipher}}'
if: ctx?.apache?.access?.ssl?.cipher != null

- script:
lang: painless
if: ctx?.apache?.access?.ssl?.protocol != null
source: >-
def parts = ctx.apache.access.ssl.protocol.toLowerCase().splitOnToken("v");
if (parts.length != 2) {
return;
}
if (parts[1].contains(".")) {
ctx.tls.version = parts[1];
} else {
ctx.tls.version = parts[1] + ".0";
}
ctx.tls.version_protocol = parts[0];

on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
2 changes: 1 addition & 1 deletion filebeat/module/apache/access/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ var:
- "C:/tools/Apache/httpd-2.*/Apache24/logs/access.log*"
- "C:/Program Files/Apache Software Foundation/Apache2.*/logs/access.log*"

ingest_pipeline: ingest/default.json
ingest_pipeline: ingest/pipeline.yml
input: config/access.yml

requires.processors:
Expand Down
28 changes: 23 additions & 5 deletions filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
[
{
"@timestamp": "2016-12-26T14:16:28.000Z",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.outcome": "success",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.method": "get",
"http.response.body.bytes": 45,
"http.response.status_code": 200,
"http.version": "1.1",
Expand All @@ -18,10 +21,13 @@
},
{
"@timestamp": "2016-12-26T14:16:29.000Z",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.method": "get",
"http.response.body.bytes": 209,
"http.response.status_code": 404,
"http.version": "1.1",
Expand All @@ -35,8 +41,11 @@
},
{
"@timestamp": "2016-12-26T14:16:48.000Z",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.outcome": "failure",
"fileset.name": "access",
"http.response.status_code": 408,
"input.type": "log",
Expand All @@ -48,10 +57,13 @@
},
{
"@timestamp": "2016-12-26T16:23:35.000Z",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.outcome": "success",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.method": "get",
"http.response.body.bytes": 45,
"http.response.status_code": 200,
"http.version": "1.1",
Expand All @@ -74,10 +86,13 @@
},
{
"@timestamp": "2016-12-26T16:23:41.000Z",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.method": "get",
"http.response.body.bytes": 206,
"http.response.status_code": 404,
"http.version": "1.1",
Expand All @@ -100,10 +115,13 @@
},
{
"@timestamp": "2016-12-26T16:23:45.000Z",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.method": "get",
"http.response.body.bytes": 201,
"http.response.status_code": 404,
"http.version": "1.1",
Expand Down
14 changes: 12 additions & 2 deletions filebeat/module/apache/access/test/ssl-request.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,27 +3,34 @@
"@timestamp": "2018-08-10T07:45:56.000Z",
"apache.access.ssl.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"apache.access.ssl.protocol": "TLSv1.2",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.method": "get",
"http.response.body.bytes": 1375,
"http.version": "1.1",
"input.type": "log",
"log.offset": 0,
"service.type": "apache",
"source.address": "172.30.0.119",
"source.ip": "172.30.0.119",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.2",
"tls.version_protocol": "tls",
"url.original": "/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&amp;opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&amp;nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21"
},
{
"@timestamp": "2019-10-16T09:53:47.000Z",
"apache.access.ssl.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"apache.access.ssl.protocol": "TLSv1.2",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.method": "get",
"http.version": "1.1",
"input.type": "log",
"log.offset": 276,
Expand All @@ -34,6 +41,9 @@
"source.geo.location.lat": 37.751,
"source.geo.location.lon": -97.822,
"source.ip": "11.19.0.217",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.2",
"tls.version_protocol": "tls",
"url.original": "/appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d"
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,13 @@
{
"@timestamp": "2016-12-26T16:22:14.000Z",
"destination.domain": "vhost1.domaine.fr",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.method": "get",
"http.request.referrer": "-",
"http.response.body.bytes": 499,
"http.response.status_code": 404,
Expand Down
Loading