Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filebeat Nginx Error ingest pipeline can't parse basic auth messages #32157

Closed
leweafan opened this issue Jun 29, 2022 · 2 comments
Closed

Filebeat Nginx Error ingest pipeline can't parse basic auth messages #32157

leweafan opened this issue Jun 29, 2022 · 2 comments
Labels
enhancement Stalled Team:Service-Integrations Label for the Service Integrations team

Comments

@leweafan
Copy link
Contributor

leweafan commented Jun 29, 2022

Describe the enhancement:

Nginx error ingest pipeline should be able to parse nginx event that basic auth failed. Now parsing doesn't contain fields:

  • event.category = "authentication"
  • event.action = "login-failed"
  • event.outcome = "failure"
  • user.name
  • client.ip
  • client.geo.*
  • url.domain
  • url.original
  • http.request.referrer

Log message example:

2022/06/29 11:39:52 [error] 1342#0: *46339075 user "xxx" was not found in "/etc/nginx/conf.d/passwd", client: 10.10.10.10, server: , request: "GET /url/path/admin.css HTTP/1.0", host: "test.domain.com"
2022/06/30 17:14:22 [error] 764#764: *686 user "admin": password mismatch, client: 10.10.10.10, server: _, request: "GET / HTTP/1.1", host: "10.11.11.11"

Describe a specific use case for the enhancement or feature:

Elastic SIEM should be able to notify about failed nginx authentications.

Steps to reproduce

POST /_ingest/pipeline/filebeat-7.17.4-nginx-error-pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "@timestamp": "2022-06-29T11:39:52.178Z",
        "message" : "2022/06/29 11:39:52 [error] 1342#0: *46339075 user \"xxx\" was not found in \"/etc/nginx/conf.d/passwd\", client: 10.10.10.10, server: , request: \"GET /url/path/admin.css HTTP/1.0\", host: \"test.domain.com\""
      }
    }
  ]
}
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 29, 2022
@jamiehynds jamiehynds added the Team:Integrations Label for the Integrations team label Jun 30, 2022
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 30, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

@jamiehynds jamiehynds added enhancement needs_team Indicates that the issue/PR needs a Team:* label labels Jun 30, 2022
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 30, 2022
@kaiyan-sheng kaiyan-sheng added Team:Service-Integrations Label for the Service Integrations team and removed Team:Integrations Label for the Integrations team labels Jul 6, 2022
@botelastic
Copy link

botelastic bot commented Jul 6, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jul 6, 2023
@botelastic botelastic bot closed this as completed Jan 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Stalled Team:Service-Integrations Label for the Service Integrations team
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants