Add support for ssl_request_log in apache2 module (#9833)

* Add support for ssl_request_log in apache2 module

* Update changelog

* Rename ssl.cipher and ssl.protocol

CHANGELOG.next.asciidoc

@@ -86,6 +86,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add option to modules.yml file to indicate that a module has been moved {pull}9432[9432].
 - Fix parsing of GC entries in elasticsearch server log. {issue}9513[9513] {pull}9810[9810]
 - Support mysql 5.7.22 slowlog starting with time information. {issue}7892[7892] {pull}9647[9647]
+- Add support for ssl_request_log in apache2 module. {issue}8088[8088] {pull}9833[9833]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -70,6 +70,26 @@ type: keyword
 Client IP address or hostname.
 
 
+--
+
+*`apache2.access.ssl.protocol`*::
++
+--
+type: keyword
+
+SSL protocol version.
+
+
+--
+
+*`apache2.access.ssl.cipher`*::
++
+--
+type: keyword
+
+SSL cipher name.
+
+
 --
 
 *`apache2.access.body_sent.bytes`*::

filebeat/module/apache2/access/_meta/fields.yml

@@ -8,6 +8,16 @@
       description: >
         Client IP address or hostname.
 
+    - name: ssl.protocol
+      type: keyword
+      description: >
+        SSL protocol version.
+
+    - name: ssl.cipher
+      type: keyword
+      description: >
+        SSL cipher name.
+
     - name: body_sent.bytes
       type: long
       format: bytes

filebeat/module/apache2/access/ingest/default.json

@@ -5,7 +5,8 @@
       "field": "message",
       "patterns":[
         "%{IPORHOST:apache2.access.remote_ip} - %{DATA:user.name} \\[%{HTTPDATE:apache2.access.time}\\] \"%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}\" %{NUMBER:http.response.status_code:long} (?:%{NUMBER:apache2.access.body_sent.bytes:long}|-)( \"%{DATA:http.request.referrer}\")?( \"%{DATA:apache2.access.agent}\")?",
-        "%{IPORHOST:apache2.access.remote_ip} - %{DATA:user.name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:http.response.status_code:long} -"
+        "%{IPORHOST:apache2.access.remote_ip} - %{DATA:user.name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:http.response.status_code:long} -",
+        "\\[%{HTTPDATE:apache2.access.time}\\] %{IPORHOST:apache2.access.remote_ip} %{DATA:apache2.access.ssl.protocol} %{DATA:apache2.access.ssl.cipher} \"%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}\" %{NUMBER:apache2.access.body_sent.bytes}"
         ],
       "ignore_missing": true
     }

filebeat/module/apache2/access/test/ssl-request.log

@@ -0,0 +1 @@
+[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375

filebeat/module/apache2/access/test/ssl-request.log-expected.json

@@ -0,0 +1,18 @@
+[
+    {
+        "@timestamp": "2018-08-10T07:45:56.000Z",
+        "apache2.access.body_sent.bytes": "1375",
+        "apache2.access.remote_ip": "172.30.0.119",
+        "apache2.access.ssl.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+        "apache2.access.ssl.protocol": "TLSv1.2",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "access",
+        "event.module": "apache2",
+        "http.request.method": "GET",
+        "http.version": "1.1",
+        "input.type": "log",
+        "log.offset": 0,
+        "source.ip": "172.30.0.119",
+        "url.original": "/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21"
+    }
+]