Skip to content

Commit

Permalink
[Filebeat] Add URI Parts Processor to multiple modules (#24699)
Browse files Browse the repository at this point in the history
* Update Nginx pipelines

* Update Apache, Nginx, IIS, Traefik pipelines

* Update AWS S3

* Update Cisco

* Update F5

* Update Fortinet

* Update Imperva, Netscout, O365, Sophos, Squid, Suricata, Zscaler

* additional fixes

* update pipelines

* unescape \

* remove urldecodes for url.original

* updates after rebase

* update zeek SIP

* update changelog as requested by @andrewstucki

* remove `url_decode` for `http.request.referrer`

* update generated data
  • Loading branch information
legoguy1000 authored Apr 27, 2021
1 parent 9fb519f commit f1fea95
Show file tree
Hide file tree
Showing 101 changed files with 5,939 additions and 1,906 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Possible values for Netflow's locality fields (source.locality, destination.locality and flow.locality) are now `internal` and `external`, instead of `private` and `public`. {issue}24272[24272] {pull}24295[24295]
- Add User Agent Parser for Azure Sign In Logs Ingest Pipeline {pull}23201[23201]
- Changes filebeat httpjson input's append transform to create a list even with only a single value{pull}25074[25074]
- All url.* fields apart from url.original in the Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules are now url unescaped due to using the Elasticsearch uri_parts processor. {pull}24699[24699]

*Heartbeat*

Expand Down Expand Up @@ -406,6 +407,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix IPtables Pipeline and Ubiquiti dashboard. {issue}24878[24878] {pull}24928[24928]
- Fix gcp module field names to use gcp instead of googlecloud. {pull}25038[25038]
- Change `checkpoint.source_object` from Long to Keyword. {issue}25124[25124] {pull}25145[25145]
- Fix Nginx module pipelines. {issue}19088[19088] {pull}24699[24699]

*Heartbeat*

Expand Down Expand Up @@ -849,6 +851,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994]
- Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041]
- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]
- Add `uri_parts` processor to Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules ingest pipelines. {issue}19088[19088] {pull}24699[24699]

*Heartbeat*

Expand Down
47 changes: 42 additions & 5 deletions filebeat/module/apache/access/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,37 @@ processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
- grok:
- rename:
field: message
target_field: event.original
- grok:
field: event.original
patterns:
- '%{IPORHOST:destination.domain} %{IPORHOST:source.ip} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?"
"(?:%{WORD:http.request.method} %{DATA:_tmp.url_orig} HTTP/%{NUMBER:http.version}|-)?"
%{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)(
"%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?'
- '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?"
"(?:%{WORD:http.request.method} %{DATA:_tmp.url_orig} HTTP/%{NUMBER:http.version}|-)?"
%{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)(
"%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?'
- '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
"-" %{NUMBER:http.response.status_code:long} -'
- \[%{HTTPDATE:apache.access.time}\] %{IPORHOST:source.address} %{DATA:apache.access.ssl.protocol}
%{DATA:apache.access.ssl.cipher} "%{WORD:http.request.method} %{DATA:url.original}
%{DATA:apache.access.ssl.cipher} "%{WORD:http.request.method} %{DATA:_tmp.url_orig}
HTTP/%{NUMBER:http.version}" (-|%{NUMBER:http.response.body.bytes:long})
ignore_missing: true
- uri_parts:
field: _tmp.url_orig
ignore_failure: true
- set:
field: url.domain
value: "{{destination.domain}}"
if: ctx.url?.domain == null && ctx.destination?.domain != null
- remove:
field: message
field:
- _tmp.url_orig
ignore_missing: true
- set:
field: event.kind
value: event
Expand Down Expand Up @@ -97,6 +109,31 @@ processors:
}
ctx.tls.version_protocol = parts[0];
- script:
lang: painless
description: This script processor iterates over the whole document to remove fields with null values.
source: |
void handleMap(Map map) {
for (def x : map.values()) {
if (x instanceof Map) {
handleMap(x);
} else if (x instanceof List) {
handleList(x);
}
}
map.values().removeIf(v -> v == null);
}
void handleList(List list) {
for (def x : list) {
if (x instanceof Map) {
handleMap(x);
} else if (x instanceof List) {
handleList(x);
}
}
}
handleMap(ctx);
on_failure:
- set:
field: error.message
Expand Down
12 changes: 12 additions & 0 deletions filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "::1 - - [26/Dec/2016:16:16:28 +0200] \"GET / HTTP/1.1\" 200 45",
"event.outcome": "success",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -17,6 +18,7 @@
"source.address": "::1",
"source.ip": "::1",
"url.original": "/",
"url.path": "/",
"user.name": "-"
},
{
Expand All @@ -25,6 +27,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -36,7 +39,9 @@
"service.type": "apache",
"source.address": "::1",
"source.ip": "::1",
"url.extension": "ico",
"url.original": "/favicon.ico",
"url.path": "/favicon.ico",
"user.name": "-"
},
{
Expand All @@ -45,6 +50,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -",
"event.outcome": "failure",
"fileset.name": "access",
"http.response.status_code": 408,
Expand All @@ -61,6 +67,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "77.179.66.156 - - [26/Dec/2016:18:23:35 +0200] \"GET / HTTP/1.1\" 200 45",
"event.outcome": "success",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -83,6 +90,7 @@
"source.geo.region_name": "Rheinland-Pfalz",
"source.ip": "77.179.66.156",
"url.original": "/",
"url.path": "/",
"user.name": "-"
},
{
Expand All @@ -91,6 +99,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "77.179.66.156 - - [26/Dec/2016:18:23:41 +0200] \"GET /notfound HTTP/1.1\" 404 206",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -113,6 +122,7 @@
"source.geo.region_name": "Rheinland-Pfalz",
"source.ip": "77.179.66.156",
"url.original": "/notfound",
"url.path": "/notfound",
"user.name": "-"
},
{
Expand All @@ -121,6 +131,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "77.179.66.156 - - [26/Dec/2016:18:23:45 +0200] \"GET /hmm HTTP/1.1\" 404 201",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -143,6 +154,7 @@
"source.geo.region_name": "Rheinland-Pfalz",
"source.ip": "77.179.66.156",
"url.original": "/hmm",
"url.path": "/hmm",
"user.name": "-"
}
]
12 changes: 10 additions & 2 deletions filebeat/module/apache/access/test/ssl-request.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1\" 1375",
"fileset.name": "access",
"http.request.method": "GET",
"http.response.body.bytes": 1375,
Expand All @@ -19,7 +20,10 @@
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.2",
"tls.version_protocol": "tls",
"url.original": "/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21"
"url.extension": "php",
"url.original": "/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21",
"url.path": "/nagiosxi/ajaxhelper.php",
"url.query": "cmd=getxicoreajax&opts={\"func\":\"get_admin_tasks_html\",\"args\":\"\"}&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21"
},
{
"@timestamp": "2019-10-16T09:53:47.000Z",
Expand All @@ -29,6 +33,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "[16/Oct/2019:11:53:47 +0200] 11.19.0.217 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1\" -",
"fileset.name": "access",
"http.request.method": "GET",
"http.version": "1.1",
Expand All @@ -45,6 +50,9 @@
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.2",
"tls.version_protocol": "tls",
"url.original": "/appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d"
"url.extension": "php",
"url.original": "/appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d",
"url.path": "/appl/ajaxhelper.php",
"url.query": "cmd=getxicoreajax&opts={\"func\":\"get_pagetop_alert_content_html\",\"args\":\"\"}&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d"
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "vhost1.domaine.fr 192.168.33.2 - - [26/Dec/2016:16:22:14 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -17,7 +18,9 @@
"log.offset": 0,
"service.type": "apache",
"source.ip": "192.168.33.2",
"url.domain": "vhost1.domaine.fr",
"url.original": "/hello",
"url.path": "/hello",
"user.name": "-",
"user_agent.device.name": "Mac",
"user_agent.name": "Firefox",
Expand Down
1 change: 1 addition & 0 deletions filebeat/module/apache/access/test/test.log
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@
172.17.0.1 - - [29/May/2017:19:02:48 +0000] "GET /stringpatch HTTP/1.1" 404 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
monitoring-server - - [29/May/2017:19:02:48 +0000] "GET /status HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
127.0.0.1 - - [02/Feb/2019:05:38:45 +0100] "-" 408 152 "-" "-"
monitoring-server - - [29/May/2017:19:02:48 +0000] "GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
42 changes: 42 additions & 0 deletions filebeat/module/apache/access/test/test.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -16,7 +17,9 @@
"service.type": "apache",
"source.address": "::1",
"source.ip": "::1",
"url.extension": "ico",
"url.original": "/favicon.ico",
"url.path": "/favicon.ico",
"user.name": "-"
},
{
Expand All @@ -25,6 +28,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -38,6 +42,7 @@
"source.address": "192.168.33.1",
"source.ip": "192.168.33.1",
"url.original": "/hello",
"url.path": "/hello",
"user.name": "-",
"user_agent.device.name": "Mac",
"user_agent.name": "Firefox",
Expand All @@ -53,6 +58,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -",
"event.outcome": "failure",
"fileset.name": "access",
"http.response.status_code": 408,
Expand All @@ -69,6 +75,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -82,6 +89,7 @@
"source.address": "172.17.0.1",
"source.ip": "172.17.0.1",
"url.original": "/stringpatch",
"url.path": "/stringpatch",
"user.name": "-",
"user_agent.device.name": "Other",
"user_agent.name": "Firefox Alpha",
Expand All @@ -97,6 +105,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /status HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"",
"event.outcome": "success",
"fileset.name": "access",
"http.request.method": "GET",
Expand All @@ -110,6 +119,7 @@
"source.address": "monitoring-server",
"source.domain": "monitoring-server",
"url.original": "/status",
"url.path": "/status",
"user.name": "-",
"user_agent.device.name": "Other",
"user_agent.name": "Firefox Alpha",
Expand All @@ -125,6 +135,7 @@
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "127.0.0.1 - - [02/Feb/2019:05:38:45 +0100] \"-\" 408 152 \"-\" \"-\"",
"event.outcome": "failure",
"fileset.name": "access",
"http.request.referrer": "-",
Expand All @@ -139,5 +150,36 @@
"user_agent.device.name": "Other",
"user_agent.name": "Other",
"user_agent.original": "-"
},
{
"@timestamp": "2017-05-29T19:02:48.000Z",
"event.category": "web",
"event.dataset": "apache.access",
"event.kind": "event",
"event.module": "apache",
"event.original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"",
"event.outcome": "success",
"fileset.name": "access",
"http.request.method": "GET",
"http.request.referrer": "-",
"http.response.body.bytes": 612,
"http.response.status_code": 200,
"http.version": "1.1",
"input.type": "log",
"log.offset": 666,
"service.type": "apache",
"source.address": "monitoring-server",
"source.domain": "monitoring-server",
"url.extension": "mp4",
"url.original": "/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4",
"url.path": "/A Beka G1 Howe/029_AND_30/15 reading elephants.mp4",
"user.name": "-",
"user_agent.device.name": "Other",
"user_agent.name": "Firefox Alpha",
"user_agent.original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
"user_agent.os.full": "Windows 7",
"user_agent.os.name": "Windows",
"user_agent.os.version": "7",
"user_agent.version": "15.0.a2"
}
]
Loading

0 comments on commit f1fea95

Please sign in to comment.