-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Convert apache2.access to ECS #8901
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -45,6 +45,10 @@ | |
alias: true | ||
copy_to: false | ||
|
||
# Filebeat modules | ||
|
||
## Suricata module | ||
|
||
- from: source_ecs.ip | ||
to: source.ip | ||
alias: true | ||
|
@@ -85,6 +89,64 @@ | |
alias: true | ||
copy_to: false | ||
|
||
## Apache | ||
|
||
- from: apache2.access.remote_ip | ||
to: source.ip | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This alias cannot stay there, since the semantics are different. In the grok you split this field towards two possible fields. In most cases the ip field will be the one that gets populated, but if I think there's value in keeping the ambiguous field around (and therefore not making it an alias), and doing the split towards IP and domain anyway. |
||
alias: true | ||
copy_to: false | ||
|
||
- from: apache2.access.user_name | ||
to: user.name | ||
alias: true | ||
copy_to: false | ||
|
||
- from: apache2.access.method | ||
to: http.request.method | ||
alias: true | ||
copy_to: false | ||
|
||
- from: apache2.access.url | ||
to: url.original | ||
alias: true | ||
copy_to: false | ||
|
||
- from: apache2.access.http_version | ||
to: http.version | ||
alias: true | ||
copy_to: false | ||
|
||
- from: apache2.access.response_code | ||
to: http.response.status_code | ||
alias: true | ||
copy_to: false | ||
|
||
- from: apache2.access.body_sent.bytes | ||
to: http.response.body_sent.bytes | ||
alias: true | ||
copy_to: false | ||
|
||
- from: apache2.access.referrer | ||
to: http.request.referer | ||
alias: true | ||
copy_to: false | ||
|
||
- from: apache2.access.agent | ||
to: user_agent.original | ||
alias: true | ||
copy_to: false | ||
|
||
- from: read_timestamp | ||
to: event.created | ||
alias: false | ||
copy_to: false | ||
|
||
# This expands all geoip fields | ||
- from: apache2.access.geoip.* | ||
to: source.geoip.* | ||
alias: false | ||
copy_to: false | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. When you get around to actually creating the aliases in the module's field defs, you can check out how I did it for the other modules (example). The definitions are so regular that with judicious find & replace, you can get them adjusted to this module very quickly. |
||
|
||
# From Auditbeat's auditd module. | ||
- from: source.hostname | ||
to: source.domain | ||
|
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,8 +4,26 @@ | |
Apache2 Module | ||
short_config: true | ||
fields: | ||
- name: http.response.body_sent.bytes | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I want to include the HTTP size metrics in ECS. But I don't think they'll look like that. The metrics available are typically request header size, request body size, response header size, response body size. And for both request and response, one could also be interested in having a total size. I'm not saying all of those need to make it to ECS necessarily. But given all of these options, I doubt the I say we should hash that out first in ECS, and revisit all affected modules afterwards. Personally I'd leave as previous for now. But not a big deal either way. Once we've figured this out in ECS, we'll revisit here anyway :-) |
||
type: long | ||
format: bytes | ||
description: > | ||
The number of bytes of the server response body. | ||
|
||
- name: source.hostname | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
type: keyword | ||
description: > | ||
test | ||
|
||
- name: http.request.referer | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ECS doesn't reproduce the typo ;-) It should be |
||
type: keyword | ||
description: > | ||
Http request referer. | ||
|
||
- name: apache2 | ||
type: group | ||
description: > | ||
Apache2 fields. | ||
fields: | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,8 +4,8 @@ | |
"grok": { | ||
"field": "message", | ||
"patterns":[ | ||
"%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"%{WORD:apache2.access.method} %{DATA:apache2.access.url} HTTP/%{NUMBER:apache2.access.http_version}\" %{NUMBER:apache2.access.response_code} (?:%{NUMBER:apache2.access.body_sent.bytes}|-)( \"%{DATA:apache2.access.referrer}\")?( \"%{DATA:apache2.access.agent}\")?", | ||
"%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:apache2.access.response_code} -" | ||
"(%{IP:source.ip}|%{HOSTNAME:source.domain}) - %{DATA:user.name} \\[%{HTTPDATE:apache2.access.time}\\] \"%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}\" %{NUMBER:http.response.status_code} (?:%{NUMBER:http.response.body_sent.bytes}|-)( \"%{DATA:http.request.referer}\")?( \"%{DATA:user_agent.original}\")?", | ||
"(%{IP:source.ip}|%{HOSTNAME:source.domain}) - %{DATA:user.name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:http.response.status_code} -" | ||
], | ||
"ignore_missing": true | ||
} | ||
|
@@ -16,7 +16,7 @@ | |
}, { | ||
"rename": { | ||
"field": "@timestamp", | ||
"target_field": "read_timestamp" | ||
"target_field": "event.created" | ||
} | ||
}, { | ||
"date": { | ||
|
@@ -31,19 +31,13 @@ | |
}, { | ||
"user_agent": { | ||
"field": "apache2.access.agent", | ||
"target_field": "apache2.access.user_agent", | ||
"ignore_failure": true | ||
} | ||
}, { | ||
"rename": { | ||
"field": "apache2.access.agent", | ||
"target_field": "apache2.access.user_agent.original", | ||
"target_field": "user_agent", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Your unparsed user_agent is no longer in the However as I've discovered, you can't start by setting The process has to be
|
||
"ignore_failure": true | ||
} | ||
}, { | ||
"geoip": { | ||
"field": "apache2.access.remote_ip", | ||
"target_field": "apache2.access.geoip" | ||
"field": "source.ip", | ||
"target_field": "source.geo" | ||
} | ||
}], | ||
"on_failure" : [{ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll have to rebase from master, to get the Suricata
source_ecs
replaced