From 5465b56fbc975ed8fea48248c6d6984be007c734 Mon Sep 17 00:00:00 2001
From: iasdeoupxe <39667843+iasdeoupxe@users.noreply.github.com>
Date: Sun, 27 May 2018 10:57:14 +0200
Subject: [PATCH 1/2] Extract the dstuser for nginx basic auth
---
decoders/0170-nginx_decoders.xml | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/decoders/0170-nginx_decoders.xml b/decoders/0170-nginx_decoders.xml
index 811ad8fec..2c34edde4 100644
--- a/decoders/0170-nginx_decoders.xml
+++ b/decoders/0170-nginx_decoders.xml
@@ -7,15 +7,24 @@
-->
^20\d\d/\d\d/\d\d \d\d:\d\d:\d\d [
+
+ nginx-errorlog
+ user "\.+"\.+, client: \S+, server: \S+, request: "\S+
+ user "(\.+)"\.+, client: (\S+),
+ dstuser, srcip
+
+
nginx-errorlog
, client: \S+, server: \S+, request: "\S+
From 33734c6c56865d5ec78197f23d9e7abe9b5addb4 Mon Sep 17 00:00:00 2001
From: AlfonsoRBJ
Date: Thu, 28 Jun 2018 15:51:38 +0200
Subject: [PATCH 2/2] upgrade 0170-nginx_decoders.xml
We have added two twin decoders in order to get the "dstuser" field when the event contains the user.
---
decoders/0170-nginx_decoders.xml | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/decoders/0170-nginx_decoders.xml b/decoders/0170-nginx_decoders.xml
index 2c34edde4..ac786d89c 100644
--- a/decoders/0170-nginx_decoders.xml
+++ b/decoders/0170-nginx_decoders.xml
@@ -20,9 +20,15 @@
nginx-errorlog
- user "\.+"\.+, client: \S+, server: \S+, request: "\S+
- user "(\.+)"\.+, client: (\S+),
- dstuser, srcip
+ user "\.+"
+ user "(\.+)"
+ dstuser
+
+
+
+ nginx-errorlog
+ client: (\S+),
+ srcip