Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FileBeat] IIS module: support for X-Forwarded-For #19142

Closed
wants to merge 2 commits into from
Closed

[FileBeat] IIS module: support for X-Forwarded-For #19142

wants to merge 2 commits into from

Conversation

marcosdiez
Copy link
Contributor

@marcosdiez marcosdiez commented Jun 11, 2020
edited by andresrc
Loading

Type of Change: Enhancement

What does this PR do?

On FileBeat, for the Windows IIS logs, this PR adds an extra optional IP address field in the end of every access log line. This IP address is saved as network.forwarded_ip

On IIS, if one adds the X-Forwarded-For header, it's appended to the end of the logs. This PR is to pick that. Very useful if your windows machine is behind a HTTP proxy/load balancer/firewall

Why is it important?

There is no downside on this and it makes life easier for those who need to capture the X-Forwarded-For header

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • [X ] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • Nothing

How to test this PR locally

Related issues

Use cases

  • useful for IIS servers behind a load balancer/firewall/proxy

@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 11, 2020
@cla-checker-service
Copy link

cla-checker-service bot commented Jun 11, 2020
edited
Loading

💚 CLA has been signed

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jun 11, 2020
edited
Loading

❕ Build Aborted

The PR is not allowed to run in the CI yet

Pipeline View Test View Changes Artifacts

Expand to view the summary

Build stats

  • Build Cause: [Branch indexing]

  • Reason: The PR is not allowed to run in the CI yet

  • Start Time: 2020-06-15T22:36:11.773+0000

  • Duration: 3 min 26 sec

  • Commit: 4cd3e0f

Steps errors

Expand to view the steps failures

  • Name: Error signal

    • Description: githubPrCheckApproved: The PR is not allowed to run in the CI yet. (Only users with write permission

    • Duration: 0 min 0 sec

    • Start Time: 2020-06-15T22:39:28.454+0000

    • log

Log output

Expand to view the last 100 lines of log output 

[2020-06-15T22:39:30.989Z] Stage "Elastic Agent x-pack" skipped due to earlier failure(s)
[2020-06-15T22:39:30.990Z] Stage "Elastic Agent x-pack Windows" skipped due to earlier failure(s)
[2020-06-15T22:39:30.991Z] Stage "Elastic Agent Mac OS X" skipped due to earlier failure(s)
[2020-06-15T22:39:30.992Z] Stage "Filebeat oss" skipped due to earlier failure(s)
[2020-06-15T22:39:30.994Z] Stage "Filebeat x-pack" skipped due to earlier failure(s)
[2020-06-15T22:39:30.994Z] Stage "Filebeat Mac OS X" skipped due to earlier failure(s)
[2020-06-15T22:39:30.995Z] Stage "Filebeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-06-15T22:39:31.004Z] Stage "Filebeat Windows" skipped due to earlier failure(s)
[2020-06-15T22:39:31.005Z] Stage "Filebeat x-pack Windows" skipped due to earlier failure(s)
[2020-06-15T22:39:31.007Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.010Z] Stage "Auditbeat oss Linux" skipped due to earlier failure(s)
[2020-06-15T22:39:31.022Z] Stage "Auditbeat crosscompile" skipped due to earlier failure(s)
[2020-06-15T22:39:31.032Z] Stage "Auditbeat oss Mac OS X" skipped due to earlier failure(s)
[2020-06-15T22:39:31.034Z] Stage "Auditbeat oss Windows" skipped due to earlier failure(s)
[2020-06-15T22:39:31.035Z] Stage "Auditbeat x-pack" skipped due to earlier failure(s)
[2020-06-15T22:39:31.036Z] Stage "Auditbeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-06-15T22:39:31.082Z] Stage "Auditbeat x-pack Windows" skipped due to earlier failure(s)
[2020-06-15T22:39:31.083Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.084Z] Stage "Libbeat x-pack" skipped due to earlier failure(s)
[2020-06-15T22:39:31.090Z] Stage "Metricbeat OSS Unit tests" skipped due to earlier failure(s)
[2020-06-15T22:39:31.091Z] Stage "Metricbeat OSS Integration tests" skipped due to earlier failure(s)
[2020-06-15T22:39:31.092Z] Stage "Metricbeat Python integration tests" skipped due to earlier failure(s)
[2020-06-15T22:39:31.094Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-06-15T22:39:31.095Z] Stage "Metricbeat crosscompile" skipped due to earlier failure(s)
[2020-06-15T22:39:31.096Z] Stage "Metricbeat Mac OS X" skipped due to earlier failure(s)
[2020-06-15T22:39:31.097Z] Stage "Metricbeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-06-15T22:39:31.098Z] Stage "Metricbeat Windows" skipped due to earlier failure(s)
[2020-06-15T22:39:31.099Z] Stage "Metricbeat x-pack Windows" skipped due to earlier failure(s)
[2020-06-15T22:39:31.100Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.101Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.102Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.125Z] Stage "Winlogbeat Windows x-pack" skipped due to earlier failure(s)
[2020-06-15T22:39:31.127Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.128Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.128Z] Stage "Generators" skipped due to earlier failure(s)
[2020-06-15T22:39:31.129Z] Stage "Kubernetes" skipped due to earlier failure(s)
[2020-06-15T22:39:31.490Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.492Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.495Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-06-15T22:39:31.496Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.497Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.499Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.500Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.501Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:31.502Z] Stage "Generators" skipped due to earlier failure(s)
[2020-06-15T22:39:33.438Z] Failed in branch Elastic Agent x-pack
[2020-06-15T22:39:33.438Z] Failed in branch Elastic Agent x-pack Windows
[2020-06-15T22:39:33.439Z] Failed in branch Elastic Agent Mac OS X
[2020-06-15T22:39:33.440Z] Failed in branch Filebeat oss
[2020-06-15T22:39:33.441Z] Failed in branch Filebeat x-pack
[2020-06-15T22:39:33.444Z] Failed in branch Filebeat Mac OS X
[2020-06-15T22:39:33.446Z] Failed in branch Filebeat x-pack Mac OS X
[2020-06-15T22:39:33.447Z] Failed in branch Filebeat Windows
[2020-06-15T22:39:33.448Z] Failed in branch Filebeat x-pack Windows
[2020-06-15T22:39:33.449Z] Failed in branch Auditbeat oss Linux
[2020-06-15T22:39:33.450Z] Failed in branch Auditbeat crosscompile
[2020-06-15T22:39:33.451Z] Failed in branch Auditbeat oss Mac OS X
[2020-06-15T22:39:33.452Z] Failed in branch Auditbeat oss Windows
[2020-06-15T22:39:33.453Z] Failed in branch Auditbeat x-pack
[2020-06-15T22:39:33.453Z] Failed in branch Auditbeat x-pack Mac OS X
[2020-06-15T22:39:33.454Z] Failed in branch Auditbeat x-pack Windows
[2020-06-15T22:39:33.455Z] Failed in branch Libbeat x-pack
[2020-06-15T22:39:33.456Z] Failed in branch Metricbeat OSS Unit tests
[2020-06-15T22:39:33.456Z] Failed in branch Metricbeat OSS Integration tests
[2020-06-15T22:39:33.457Z] Failed in branch Metricbeat Python integration tests
[2020-06-15T22:39:33.458Z] Failed in branch Metricbeat crosscompile
[2020-06-15T22:39:33.459Z] Failed in branch Metricbeat Mac OS X
[2020-06-15T22:39:33.460Z] Failed in branch Metricbeat x-pack Mac OS X
[2020-06-15T22:39:33.460Z] Failed in branch Metricbeat Windows
[2020-06-15T22:39:33.461Z] Failed in branch Metricbeat x-pack Windows
[2020-06-15T22:39:33.462Z] Failed in branch Winlogbeat Windows x-pack
[2020-06-15T22:39:33.463Z] Failed in branch Kubernetes
[2020-06-15T22:39:34.108Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:34.110Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:34.111Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-06-15T22:39:34.113Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:34.114Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:34.115Z] Stage "Generators" skipped due to earlier failure(s)
[2020-06-15T22:39:34.238Z] Failed in branch Packetbeat
[2020-06-15T22:39:34.239Z] Failed in branch dockerlogbeat
[2020-06-15T22:39:34.240Z] Failed in branch Journalbeat
[2020-06-15T22:39:34.633Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:34.635Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:34.636Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-06-15T22:39:34.638Z] Stage "Generators" skipped due to earlier failure(s)
[2020-06-15T22:39:34.712Z] Failed in branch Metricbeat x-pack
[2020-06-15T22:39:34.713Z] Failed in branch Winlogbeat
[2020-06-15T22:39:35.190Z] Failed in branch Heartbeat
[2020-06-15T22:39:35.191Z] Failed in branch Libbeat
[2020-06-15T22:39:35.192Z] Failed in branch Functionbeat
[2020-06-15T22:39:35.193Z] Stage "Generators" skipped due to earlier failure(s)
[2020-06-15T22:39:35.368Z] Failed in branch Generators
[2020-06-15T22:39:35.892Z] Running on worker-395930 in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19142
[2020-06-15T22:39:36.156Z] [INFO] getVaultSecret: Getting secrets
[2020-06-15T22:39:36.344Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-06-15T22:39:39.838Z] + chmod 755 generate-build-data.sh
[2020-06-15T22:39:39.838Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19142/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19142/runs/6 ABORTED 206282
[2020-06-15T22:39:39.838Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19142/runs/6/steps/?limit=10000 -o steps-info.json
[2020-06-15T22:39:42.105Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19142/runs/6/tests/?status=FAILED -o tests-errors.json
[2020-06-15T22:39:42.105Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19142/runs/6/log/ -o pipeline-log.txt

@ycombinator ycombinator requested a review from a team June 12, 2020 00:03
@ycombinator ycombinator changed the title [FileBeat] iss module: support for X-Forwarded-For [FileBeat] IIS module: support for X-Forwarded-For Jun 12, 2020
@ycombinator
Copy link
Contributor

run tests

@ycombinator ycombinator added the Team:Platforms Label for the Integrations - Platforms team label Jun 12, 2020
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 12, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@botelastic
Copy link

botelastic bot commented Jul 17, 2020

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jul 17, 2020
@botelastic
Copy link

botelastic bot commented Aug 16, 2020

Hi!
This PR has been stale for a while and we're going to close it as part of our cleanup procedure.
We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team.
Feel free to re-open this PR if you think it should stay open and is worth rebasing.
Thank you for your contribution!

@botelastic botelastic bot closed this Aug 16, 2020
@jeffrysleddens
Copy link

Please merge this PR. We also have many IIS webservers behind a load balancer and thus really need the X-Forwarded-For information otherwise the logs are totally useless.

@nguyenl95
Copy link

nguyenl95 commented Aug 26, 2020
edited
Loading

Same case as @jeffrysleddens' , this should be merged.

@NoelProf
Copy link

NoelProf commented Oct 6, 2020

I agree with @jeffrysledden and @nguyeni95, this should be merged!

@jsoriano
Copy link
Member

jsoriano commented Oct 7, 2020

Ok, I am reopening this, but we would need to add some example test files, @marcosdiez could you add a example log file for testing? Thanks!

@jsoriano jsoriano reopened this Oct 7, 2020
@botelastic botelastic bot removed the Stalled label Oct 7, 2020
@zube zube bot closed this Oct 7, 2020
@zube zube bot reopened this Oct 7, 2020
@zube zube bot closed this Oct 7, 2020
@jsoriano jsoriano added the Team:Services (Deprecated) Label for the former Integrations-Services team label Oct 7, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-services (Team:Services)

@jsoriano jsoriano reopened this Oct 7, 2020
@MrBones757
Copy link

MrBones757 commented Oct 8, 2020
edited
Loading

Is there any update on when we might see this implemented? this would be very useful at my organisation too.

From my investigations though this is not going to work for all scenarios as you may find that you have more than one IP..
For me (?<source.xforwardfor>(%{IP}([,+]+)?)+)?$ seemed to work which captured stuff like:

Update: ((?:-)|(?<source.xforwardfor>(%{IP}([,+]+)?)+))?$ to support the null - field

x.x.x.x
x.x.x.x,+x.x.x.x
x.x.x.x,+x.x.x.x,+x.x.x.x
etc.

@jsoriano
Copy link
Member

jsoriano commented Oct 8, 2020

@MrBones757 thanks for your feedback, could you provide some example log lines that we could use for testing?
If @marcosdiez doesn't have time to continue with this PR I could open another one with these changes and your feedback, but I would need some example log lines.

@NoelProf
Copy link

NoelProf commented Oct 8, 2020 via email
edited
Loading

@jeffrysleddens
Copy link

jeffrysleddens commented Oct 9, 2020
edited
Loading

Please find attached a sample of IIS logs with all options enabled and X-Forwarded-For added as last attribute. Where 10.24.129.162 is the IP address of our webserver and 10.24.136.240 is the IP address of our loadbalancer.
iis_log_sample_extended.txt

And a screenshot of the IIS log settings used to produce these logs:

iis_log_configuration

@jeffrysleddens
Copy link

jeffrysleddens commented Oct 9, 2020
edited
Loading

We have been using this modified version of the grok patterns of the IIS ingest pipeline to allow for the X-Forwarded-For field. Which was based on this pull request. We only swapped around the network.forwarded_ip and source.address fields as that seems to be more in line with the ECS definition of those fields.

{
  "field": "message",
  "patterns": [
    "%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:network.forwarded_ip}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long}) (?:-|%{IPORHOST:source.address})",
    "%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:network.forwarded_ip}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:temp.duration:long}) (?:-|%{IPORHOST:source.address})",
    "%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{NOTSPACE:iis.access.server_name}) (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:network.forwarded_ip}) (?:-|HTTP/%{NUMBER:http.version}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:temp.duration:long}) (?:-|%{IPORHOST:source.address})",
    "%{TIMESTAMP_ISO8601:iis.access.time} \[%{IPORHOST:destination.address}\]\(http://%{IPORHOST:destination.address}\) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) \[%{IPORHOST:network.forwarded_ip}\]\(http://%{IPORHOST:network.forwarded_ip}\) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long}) (?:-|%{IPORHOST:source.address})",
    "%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:network.forwarded_ip}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long}) (?:-|%{IPORHOST:source.address})",
    "%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})",
    "%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:temp.duration:long})",
    "%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{NOTSPACE:iis.access.server_name}) (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|HTTP/%{NUMBER:http.version}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:temp.duration:long})",
    "%{TIMESTAMP_ISO8601:iis.access.time} \[%{IPORHOST:destination.address}\]\(http://%{IPORHOST:destination.address}\) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) \[%{IPORHOST:source.address}\]\(http://%{IPORHOST:source.address}\) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})",
    "%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})"
  ],
  "ignore_missing": true
}

@jsoriano
Copy link
Member

jsoriano commented Oct 9, 2020

@NoelProf @jeffrysleddens wow, thanks a lot for sharing your logs and the configurations you are using!

Would any of you like to open a pull request with them? If not, no problem, I will wrap-up all the info you have provided and prepare the change.

@jeffrysleddens
Copy link

This is a tricky one, because there is also still a discussion going on about how to handle proxy/loadbalancers in the ECS (elastic/ecs#938) and the network.forwarded_ip field (elastic/ecs#523)

jsoriano added a commit to jsoriano/beats that referenced this pull request Mar 9, 2021
@jsoriano
Add example files shared in elastic#19142
85f0acf
@jsoriano jsoriano mentioned this pull request Mar 9, 2021
Merged
6 tasks
@jsoriano
Copy link
Member

jsoriano commented Mar 9, 2021
edited
Loading

Hi,

I finally went back to this. I have opened #24436 to replace this PR. It includes the code of this PR, but making the presence of the X-Forwarded-For optional. It also includes the shared test files to check that the pipeline works now for them.

Thanks all for your help with this, very appreciated! Please take a look to the new PR if you have some time.

We only swapped around the network.forwarded_ip and source.address fields as that seems to be more in line with the ECS definition of those fields.

@jeffrysleddens regarding this, in my PR I keep using network.forwarded_ip. According to current ECS, this field can be used when the source IP address is the proxy, what I think would be correct for this case. I see your comments in elastic/ecs#523 about using source fields for the real client address, and I think it makes sense, but let's stick to current ECS by now. If something changes in ECS related to this we can change it in Filebeat accordingly.

@jsoriano jsoriano closed this Mar 9, 2021
@jsoriano jsoriano mentioned this pull request Mar 9, 2021
Merged
6 tasks
@muthu-mps muthu-mps mentioned this pull request Sep 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jsoriano jsoriano

Labels
Filebeat Filebeat module Team:Platforms Label for the Integrations - Platforms team Team:Services (Deprecated) Label for the former Integrations-Services team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add "X-Forwarded-For" field support for IIS module in Filebeat
9 participants
@marcosdiez @elasticmachine @ycombinator @jeffrysleddens @nguyenl95 @NoelProf @jsoriano @MrBones757 @andresrc