Skip to content

Commit

Permalink
Improve ECS categorization field mappings in iis module (elastic#16618)
Browse files Browse the repository at this point in the history
- event.category
- event.kind
- event.outcome
- event.type
- related.ip
- related.user
- lowercase http.request.method
- improve grok in access pipeline
- change access and error pipelines to yaml

Closes elastic#16165
  • Loading branch information
leehinman authored Mar 2, 2020
1 parent a25903b commit 342f0e0
Show file tree
Hide file tree
Showing 14 changed files with 623 additions and 315 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve ECS field mappings in haproxy module. {issue}16162[16162] {pull}16529[16529]
- Improve the decode_cef processor by reducing the number of memory allocations. {pull}16587[16587]
- Add `cloudfoundry` input to send events from Cloud Foundry. {pull}16586[16586]
- Improve ECS categorization field mappings in iis module. {issue}16165[16165] {pull}16618[16618]

*Heartbeat*

Expand Down
134 changes: 0 additions & 134 deletions filebeat/module/iis/access/ingest/default.json

This file was deleted.

139 changes: 139 additions & 0 deletions filebeat/module/iis/access/ingest/pipeline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
description: Pipeline for parsing IIS access logs. Requires the geoip and user_agent
plugins.
processors:
- grok:
field: message
patterns:
- '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method})
(?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name})
(?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:http.request.referrer})
(?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long})
(?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})'
- '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{WORD:http.request.method})
(?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name})
(?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:iis.access.cookie})
(?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) (?:-|%{NUMBER:http.response.status_code:long})
(?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long})
(?:-|%{NUMBER:http.response.body.bytes:long}) (?:-|%{NUMBER:http.request.body.bytes:long})
(?:-|%{NUMBER:temp.duration:long})'
- '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{NOTSPACE:iis.access.server_name})
(?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path})
(?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name})
(?:-|%{IPORHOST:source.address}) (?:-|HTTP/%{NUMBER:http.version}) (?:-|%{NOTSPACE:user_agent.original})
(?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain})
(?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long})
(?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long})
(?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:temp.duration:long})'
- '%{TIMESTAMP_ISO8601:iis.access.time} \[%{IPORHOST:destination.address}\]\(http://%{IPORHOST:destination.address}\)
(?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long})
(?:-|%{NOTSPACE:user.name}) \[%{IPORHOST:source.address}\]\(http://%{IPORHOST:source.address}\)
(?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long})
(?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})'
- '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method})
(?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name})
(?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long})
(?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long})
(?:-|%{NUMBER:temp.duration:long})'
ignore_missing: true
- remove:
field: message
- rename:
field: '@timestamp'
target_field: event.created
- date:
field: iis.access.time
target_field: '@timestamp'
formats:
- yyyy-MM-dd HH:mm:ss
- remove:
field: iis.access.time
- script:
lang: painless
source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale)
params:
scale: 1000000
if: ctx.temp?.duration != null
- remove:
field: temp.duration
ignore_missing: true
- urldecode:
field: user_agent.original
ignore_missing: true
- user_agent:
field: user_agent.original
ignore_missing: true
- grok:
field: destination.address
ignore_failure: true
patterns:
- '%{NOZONEIP:destination.ip}'
pattern_definitions:
NOZONEIP: '[^%]*'
- grok:
field: source.address
ignore_failure: true
patterns:
- '%{NOZONEIP:source.ip}'
pattern_definitions:
NOZONEIP: '[^%]*'
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- set:
field: event.kind
value: event
- append:
field: event.category
value: web
- append:
field: event.category
value: network
if: "ctx?.source?.ip != null && ctx?.destination?.ip != null"
- append:
field: event.type
value: connection
if: "ctx?.source?.ip != null && ctx?.destination?.ip != null"
- lowercase:
field: http.request.method
ignore_missing: true
- append:
field: related.ip
value: "{{source.ip}}"
if: "ctx?.source?.ip != null"
- append:
field: related.ip
value: "{{destination.ip}}"
if: "ctx?.destination?.ip != null"
- append:
field: related.user
value: "{{user.name}}"
if: "ctx?.user?.name != null"
- set:
field: event.outcome
value: success
if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400"
- set:
field: event.outcome
value: failure
if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400"
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
2 changes: 1 addition & 1 deletion filebeat/module/iis/access/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ var:
os.windows:
- C:/inetpub/logs/LogFiles/*/*.log

ingest_pipeline: ingest/default.json
ingest_pipeline: ingest/pipeline.yml
input: config/iis-access.yml

requires.processors:
Expand Down
Loading

0 comments on commit 342f0e0

Please sign in to comment.