Cherry-pick to 6.x: Add support for ssl_request_log in apache2 module (…

…#9833) (#9848) * Add support for ssl_request_log in apache2 module (#9833) * Add support for ssl_request_log in apache2 module * Update changelog * Rename ssl.cipher and ssl.protocol (cherry picked from commit 033b021) * Fix apache2.access.http_version * Rename url.original to apache2.access.url
elastic · Jan 4, 2019 · 404c19e · 404c19e
1 parent e6ff695
commit 404c19e
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 3 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -117,6 +117,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
 - Add field log.source.address and log.file.path to replace source. {pull}9435[9435]
 - Add support for multi-core thread_id in postgresql module {issue}9156[9156] {pull}9482[9482]
 - Added netflow input type that supports NetFlow v1, v5, v6, v7, v8, v9 and IPFIX. {issue}9399[9399]
+- Add support for ssl_request_log in apache2 module. {issue}8088[8088] {pull}9833[9833]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -182,6 +182,26 @@ type: keyword
 Client IP address.
 
 
+--
+
+*`apache2.access.ssl.protocol`*::
++
+--
+type: keyword
+
+SSL protocol version.
+
+
+--
+
+*`apache2.access.ssl.cipher`*::
++
+--
+type: keyword
+
+SSL cipher name.
+
+
 --
 
 *`apache2.access.user_name`*::

diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go
diff --git a/filebeat/module/apache2/access/_meta/fields.yml b/filebeat/module/apache2/access/_meta/fields.yml
@@ -7,6 +7,14 @@
       type: keyword
       description: >
         Client IP address.
+    - name: ssl.protocol
+      type: keyword
+      description: >
+        SSL protocol version.
+    - name: ssl.cipher
+      type: keyword
+      description: >
+        SSL cipher name.
     - name: user_name
       type: keyword
       description: >

diff --git a/filebeat/module/apache2/access/ingest/default.json b/filebeat/module/apache2/access/ingest/default.json
@@ -4,8 +4,9 @@
     "grok": {
       "field": "message",
       "patterns":[
-        "%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"%{WORD:apache2.access.method} %{DATA:apache2.access.url} HTTP/%{NUMBER:apache2.access.http_version}\" %{NUMBER:apache2.access.response_code} (?:%{NUMBER:apache2.access.body_sent.bytes}|-)( \"%{DATA:apache2.access.referrer}\")?( \"%{DATA:apache2.access.agent}\")?",
-        "%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:apache2.access.response_code} -"
+          "%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"%{WORD:apache2.access.method} %{DATA:apache2.access.url} HTTP/%{NUMBER:apache2.access.http_version}\" %{NUMBER:apache2.access.response_code} (?:%{NUMBER:apache2.access.body_sent.bytes}|-)( \"%{DATA:apache2.access.referrer}\")?( \"%{DATA:apache2.access.agent}\")?",
+          "%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:apache2.access.response_code} -",
+        "\\[%{HTTPDATE:apache2.access.time}\\] %{IPORHOST:apache2.access.remote_ip} %{DATA:apache2.access.ssl.protocol} %{DATA:apache2.access.ssl.cipher} \"%{WORD:http.request.method} %{DATA:apache2.access.url} HTTP/%{NUMBER:apache2.access.http_version}\" %{NUMBER:apache2.access.body_sent.bytes}"
         ],
       "ignore_missing": true
     }

diff --git a/filebeat/module/apache2/access/test/ssl-request.log b/filebeat/module/apache2/access/test/ssl-request.log
@@ -0,0 +1 @@
+[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&amp;opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&amp;nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375
diff --git a/filebeat/module/apache2/access/test/ssl-request.log-expected.json b/filebeat/module/apache2/access/test/ssl-request.log-expected.json
@@ -0,0 +1,18 @@
+[
+    {
+        "@timestamp": "2018-08-10T07:45:56.000Z",
+        "apache2.access.body_sent.bytes": "1375",
+        "apache2.access.http_version": "1.1",
+        "apache2.access.remote_ip": "172.30.0.119",
+        "apache2.access.ssl.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+        "apache2.access.ssl.protocol": "TLSv1.2",
+        "apache2.access.url": "/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&amp;opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&amp;nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21",
+        "event.dataset": "apache2.access",
+        "fileset.module": "apache2",
+        "fileset.name": "access",
+        "http.request.method": "GET",
+        "input.type": "log",
+        "offset": 0,
+        "prospector.type": "log"
+    }
+]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375