Skip to content

Commit df26396

Browse files
bitsofinfobitsofinfo
authored
Merge pull request #49 from fabiogermann/master
Fixed exception in logstash and added ECS translation config
2 parents 3a0a58f + 0c71411 commit df26396

File tree

2 files changed

+141
-2
lines changed

2 files changed

+141
-2
lines changed

2082_filter_section_h_extract_stopwatch.conf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,15 +24,15 @@ filter {
2424
# micro -> milli
2525
ruby {
2626
code => "
27-
event_date_milliseconds = (event.get('event_date_microseconds') / 1000.0)
27+
event_date_milliseconds = (event.get('event_date_microseconds').to_i / 1000.0)
2828
event.set('event_date_milliseconds', event_date_milliseconds)
2929
"
3030
}
3131

3232
# milli -> seconds
3333
ruby {
3434
code => "
35-
event_date_seconds = (event.get('event_date_milliseconds') / 1000.0)
35+
event_date_seconds = (event.get('event_date_milliseconds').to_i / 1000.0)
3636
event.set('event_date_seconds', event_date_seconds)
3737
"
3838
}

2600_filter_ecs.conf

Lines changed: 139 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,139 @@
1+
filter {
2+
if [type] == "mod_security" {
3+
4+
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5+
# Align logs with Elastic ECS
6+
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7+
8+
mutate {
9+
# Rename to existing ECS fields
10+
rename => ["fqdn", "[host][hostname]"]
11+
rename => ["requestHeaders.User-Agent", "[user_agent][original]"]
12+
rename => ["httpMethod", "[http][request][method]"]
13+
rename => ["requestedUri", "[url][path]"]
14+
rename => ["sourceIp", "[client][ip]"]
15+
rename => ["sourcePort", "[client][port]"]
16+
rename => ["program", "[service][type]"]
17+
rename => ["destIp", "[destination][ip]"]
18+
rename => ["destPort", "[destination][port]"]
19+
rename => ["uniqueId", "[tracing][trace][id]"]
20+
21+
# Rename to custom ECS fields
22+
rename => ["requestHeaders", "[http][request][header]"]
23+
rename => ["responseHeaders", "[http][response][header]"]
24+
rename => ["auditLogTrailer", "[apache][mod_security][audit_log_trailer]"]
25+
rename => ["rawSectionA", "[apache][mod_security][section][a]"]
26+
rename => ["rawSectionB", "[apache][mod_security][section][b]"]
27+
rename => ["rawSectionF", "[apache][mod_security][section][f]"]
28+
rename => ["rawSectionH", "[apache][mod_security][section][h]"]
29+
rename => ["matchedRules", "[apache][mod_security][matched_rule][raw]"]
30+
rename => ["secRuleIds", "[apache][mod_security][matched_rule][id]"]
31+
}
32+
33+
grok {
34+
match => [ "incomingProtocol", "(HTTP\W)(%{NUMBER:http.version})" ]
35+
}
36+
37+
grok {
38+
match => [ "responseStatus", "(%{NUMBER:http.response.status_code:long} %{DATA})" ]
39+
}
40+
41+
useragent { # workaround until ECS support is available: https://github.com/logstash-plugins/logstash-filter-useragent/issues/56
42+
source => "[user_agent][original]"
43+
target => "ua_tmp"
44+
45+
add_field => {
46+
"[user_agent][device][name]" => "%{[ua_tmp][device]}"
47+
"[user_agent][os][name]" => "%{[ua_tmp][os_name]}"
48+
"[user_agent][name]" => "%{[ua_tmp][name]}"
49+
}
50+
}
51+
52+
# OS version ECS compatibility
53+
if [ua_tmp][os_major] {
54+
mutate {
55+
add_field => {
56+
"[user_agent][os][version]" => "%{[ua_tmp][os_major]}"
57+
}
58+
}
59+
60+
if [ua_tmp][os_minor] {
61+
mutate {
62+
replace => {
63+
"[user_agent][os][version]" => "%{[user_agent][os][version]}.%{[ua_tmp][os_minor]}"
64+
}
65+
}
66+
67+
if [ua_tmp][os_patch] {
68+
mutate {
69+
replace => {
70+
"[user_agent][os][version]" => "%{[user_agent][os][version]}.%{[ua_tmp][os_patch]}"
71+
}
72+
}
73+
74+
if [ua_tmp][os_build] {
75+
mutate {
76+
replace => {
77+
"[user_agent][os][version]" => "%{[user_agent][os][version]}.%{[ua_tmp][os_build]}"
78+
}
79+
}
80+
}
81+
}
82+
}
83+
84+
mutate {
85+
add_field => {
86+
"[user_agent][os][full]" => "%{[user_agent][os][name]} %{[user_agent][os][version]}"
87+
}
88+
}
89+
}
90+
91+
# User agent version ECS compatibility
92+
if [ua_tmp][major] {
93+
mutate {
94+
add_field => {
95+
"[user_agent][version]" => "%{[ua_tmp][major]}"
96+
}
97+
}
98+
99+
if [ua_tmp][minor] {
100+
mutate {
101+
replace => {
102+
"[user_agent][version]" => "%{[user_agent][version]}.%{[ua_tmp][minor]}"
103+
}
104+
}
105+
106+
if [ua_tmp][patch] {
107+
mutate {
108+
replace => {
109+
"[user_agent][version]" => "%{[user_agent][version]}.%{[ua_tmp][patch]}"
110+
}
111+
}
112+
113+
if [ua_tmp][build] {
114+
mutate {
115+
replace => {
116+
"[user_agent][version]" => "%{[user_agent][version]}.%{[ua_tmp][build]}"
117+
}
118+
}
119+
}
120+
}
121+
}
122+
}
123+
124+
mutate {
125+
remove_field => ["ua_tmp"]
126+
}
127+
128+
# geoip {
129+
# source => "[client][ip]"
130+
# target => "[client][geo]"
131+
# database => "/var/lib/GeoIP/GeoIP2-City.mmdb"
132+
# }
133+
# geoip {
134+
# source => "[client][ip]"
135+
# target => "[client][as]"
136+
# database => "/var/lib/GeoIP/GeoLite2-ASN.mmdb"
137+
# }
138+
}
139+
}

0 commit comments

Comments
 (0)