From 9bcca36cfe71f21984d53c061ff2e8a96e83d669 Mon Sep 17 00:00:00 2001 From: kaiyan-sheng Date: Tue, 22 Oct 2019 14:51:26 -0600 Subject: [PATCH] [Filebeat] Support '-' as http.response.body.bytes (#14137) * Support '-' as http.response.body.bytes --- CHANGELOG.next.asciidoc | 1 + .../module/apache/access/ingest/default.json | 2 +- .../module/apache/access/test/ssl-request.log | 1 + .../access/test/ssl-request.log-expected.json | 20 +++++++++++++++++++ 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 046ab87e6a5..143cba40431 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -178,6 +178,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - panw module: Use geo.name instead of geo.country_iso_code for free-form location. {issue}13272[13272] - Fix azure fields names. {pull}14098[14098] - Fix calculation of `network.bytes` and `network.packets` for bi-directional netflow events. {pull}14111[14111] +- Accept '-' as http.response.body.bytes in apache module. {pull}14137[14137] - Fix timezone parsing of MySQL module ingest pipelines. {pull}14130[14130] *Heartbeat* diff --git a/filebeat/module/apache/access/ingest/default.json b/filebeat/module/apache/access/ingest/default.json index 3b0bf01af68..6edd5b029be 100644 --- a/filebeat/module/apache/access/ingest/default.json +++ b/filebeat/module/apache/access/ingest/default.json @@ -8,7 +8,7 @@ "%{IPORHOST:destination.domain} %{IPORHOST:source.ip} - %{DATA:user.name} \\[%{HTTPDATE:apache.access.time}\\] \"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?\" %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)( \"%{DATA:http.request.referrer}\")?( \"%{DATA:user_agent.original}\")?", "%{IPORHOST:source.address} - %{DATA:user.name} \\[%{HTTPDATE:apache.access.time}\\] \"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?\" %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)( \"%{DATA:http.request.referrer}\")?( \"%{DATA:user_agent.original}\")?", "%{IPORHOST:source.address} - %{DATA:user.name} \\[%{HTTPDATE:apache.access.time}\\] \"-\" %{NUMBER:http.response.status_code:long} -", - "\\[%{HTTPDATE:apache.access.time}\\] %{IPORHOST:source.address} %{DATA:apache.access.ssl.protocol} %{DATA:apache.access.ssl.cipher} \"%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}\" %{NUMBER:http.response.body.bytes:long}" + "\\[%{HTTPDATE:apache.access.time}\\] %{IPORHOST:source.address} %{DATA:apache.access.ssl.protocol} %{DATA:apache.access.ssl.cipher} \"%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}\" (-|%{NUMBER:http.response.body.bytes:long})" ], "ignore_missing": true } diff --git a/filebeat/module/apache/access/test/ssl-request.log b/filebeat/module/apache/access/test/ssl-request.log index 5bc28b27de6..5b65e3235d5 100644 --- a/filebeat/module/apache/access/test/ssl-request.log +++ b/filebeat/module/apache/access/test/ssl-request.log @@ -1 +1,2 @@ [10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375 +[16/Oct/2019:11:53:47 +0200] 11.19.0.217 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1" - diff --git a/filebeat/module/apache/access/test/ssl-request.log-expected.json b/filebeat/module/apache/access/test/ssl-request.log-expected.json index 17279c34ad1..8d2749b2416 100644 --- a/filebeat/module/apache/access/test/ssl-request.log-expected.json +++ b/filebeat/module/apache/access/test/ssl-request.log-expected.json @@ -15,5 +15,25 @@ "source.address": "172.30.0.119", "source.ip": "172.30.0.119", "url.original": "/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21" + }, + { + "@timestamp": "2019-10-16T09:53:47.000Z", + "apache.access.ssl.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "apache.access.ssl.protocol": "TLSv1.2", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.version": "1.1", + "input.type": "log", + "log.offset": 276, + "service.type": "apache", + "source.address": "11.19.0.217", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "11.19.0.217", + "url.original": "/appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d" } ] \ No newline at end of file