-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change url.path to use NOTSPACE grok pattern instead (#13225)
* Change url.path to use NOTSPACE grok pattern instead
- Loading branch information
1 parent
fea2db3
commit c66580d
Showing
4 changed files
with
149 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 0 | ||
2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 46 | ||
2018-12-31 12:02:53 10.44.0.136 GET /Director - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0 | ||
2018-12-31 12:02:53 10.44.0.136 GET / - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0 | ||
2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15 |
142 changes: 142 additions & 0 deletions
142
filebeat/module/iis/access/test/test-iis-7.2.log-expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
[ | ||
{ | ||
"@timestamp": "2018-12-31T12:02:53.000Z", | ||
"destination.address": "10.44.0.136", | ||
"destination.ip": "10.44.0.136", | ||
"destination.port": 8080, | ||
"event.dataset": "iis.access", | ||
"event.duration": 0, | ||
"event.module": "iis", | ||
"fileset.name": "access", | ||
"http.request.method": "GET", | ||
"http.request.referrer": "-", | ||
"http.response.status_code": 404, | ||
"iis.access.sub_status": 0, | ||
"iis.access.win32_status": 64, | ||
"input.type": "log", | ||
"log.offset": 0, | ||
"service.type": "iis", | ||
"source.address": "10.50.6.188", | ||
"source.ip": "10.50.6.188", | ||
"url.path": "/pbserver/..\u00c0\u00af..\u00c0\u00af..\u00c0\u00af..\u00c0\u00af..\u00c0\u00af../winnt/system32/cmd.exe", | ||
"url.query": "/c+dir+c:\\+/OG", | ||
"user.name": "-", | ||
"user_agent.device.name": "Other", | ||
"user_agent.name": "IE", | ||
"user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", | ||
"user_agent.os.name": "Windows XP", | ||
"user_agent.version": "8.0" | ||
}, | ||
{ | ||
"@timestamp": "2018-12-31T12:02:53.000Z", | ||
"destination.address": "10.44.0.136", | ||
"destination.ip": "10.44.0.136", | ||
"destination.port": 8080, | ||
"event.dataset": "iis.access", | ||
"event.duration": 46000000, | ||
"event.module": "iis", | ||
"fileset.name": "access", | ||
"http.request.method": "GET", | ||
"http.request.referrer": "-", | ||
"http.response.status_code": 404, | ||
"iis.access.sub_status": 0, | ||
"iis.access.win32_status": 2, | ||
"input.type": "log", | ||
"log.offset": 213, | ||
"service.type": "iis", | ||
"source.address": "10.50.6.188", | ||
"source.ip": "10.50.6.188", | ||
"url.path": "/pbserver/..\u00c1\u00c1..\u00c1\u00c1..\u00c1\u00c1..\u00c1\u00c1..\u00c1\u00c1../winnt/system32/cmd.exe", | ||
"url.query": "/c+dir+c:\\+/OG", | ||
"user.name": "-", | ||
"user_agent.device.name": "Other", | ||
"user_agent.name": "IE", | ||
"user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", | ||
"user_agent.os.name": "Windows XP", | ||
"user_agent.version": "8.0" | ||
}, | ||
{ | ||
"@timestamp": "2018-12-31T12:02:53.000Z", | ||
"destination.address": "10.44.0.136", | ||
"destination.ip": "10.44.0.136", | ||
"destination.port": 443, | ||
"event.dataset": "iis.access", | ||
"event.duration": 0, | ||
"event.module": "iis", | ||
"fileset.name": "access", | ||
"http.request.method": "GET", | ||
"http.request.referrer": "-", | ||
"http.response.status_code": 401, | ||
"iis.access.sub_status": 0, | ||
"iis.access.win32_status": 0, | ||
"input.type": "log", | ||
"log.offset": 426, | ||
"service.type": "iis", | ||
"source.address": "10.50.6.188", | ||
"source.ip": "10.50.6.188", | ||
"url.path": "/Director", | ||
"url.query": "-", | ||
"user.name": "-", | ||
"user_agent.device.name": "Other", | ||
"user_agent.name": "IE", | ||
"user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", | ||
"user_agent.os.name": "Windows XP", | ||
"user_agent.version": "8.0" | ||
}, | ||
{ | ||
"@timestamp": "2018-12-31T12:02:53.000Z", | ||
"destination.address": "10.44.0.136", | ||
"destination.ip": "10.44.0.136", | ||
"destination.port": 443, | ||
"event.dataset": "iis.access", | ||
"event.duration": 0, | ||
"event.module": "iis", | ||
"fileset.name": "access", | ||
"http.request.method": "GET", | ||
"http.request.referrer": "-", | ||
"http.response.status_code": 401, | ||
"iis.access.sub_status": 0, | ||
"iis.access.win32_status": 0, | ||
"input.type": "log", | ||
"log.offset": 568, | ||
"service.type": "iis", | ||
"source.address": "10.50.6.188", | ||
"source.ip": "10.50.6.188", | ||
"url.path": "/", | ||
"url.query": "-", | ||
"user.name": "-", | ||
"user_agent.device.name": "Other", | ||
"user_agent.name": "IE", | ||
"user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", | ||
"user_agent.os.name": "Windows XP", | ||
"user_agent.version": "8.0" | ||
}, | ||
{ | ||
"@timestamp": "2018-12-31T12:02:53.000Z", | ||
"destination.address": "10.44.0.136", | ||
"destination.ip": "10.44.0.136", | ||
"destination.port": 8080, | ||
"event.dataset": "iis.access", | ||
"event.duration": 15000000, | ||
"event.module": "iis", | ||
"fileset.name": "access", | ||
"http.request.method": "GET", | ||
"http.request.referrer": "-", | ||
"http.response.status_code": 404, | ||
"iis.access.sub_status": 0, | ||
"iis.access.win32_status": 64, | ||
"input.type": "log", | ||
"log.offset": 702, | ||
"service.type": "iis", | ||
"source.address": "10.50.6.188", | ||
"source.ip": "10.50.6.188", | ||
"url.path": "/pbserver/..\u00c1\u0153..\u00c1\u0153..\u00c1\u0153..\u00c1\u0153..\u00c1\u0153../winnt/system32/cmd.exe", | ||
"url.query": "/c+dir+c:\\+/OG", | ||
"user.name": "-", | ||
"user_agent.device.name": "Other", | ||
"user_agent.name": "IE", | ||
"user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", | ||
"user_agent.os.name": "Windows XP", | ||
"user_agent.version": "8.0" | ||
} | ||
] |