From 103c8b343453c9b0910185b1b6b1c5a8b3d0a2b9 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Tue, 29 Mar 2022 09:58:37 -0500 Subject: [PATCH] [IIS] Fix field mappings (#2890) Fix event.* field mappings and conflicts. --- packages/iis/changelog.yml | 5 + .../_dev/test/pipeline/test-common-config.yml | 2 - .../test-iis-access-72.log-expected.json | 407 +++++----- .../test-iis-access-75.log-expected.json | 296 ++++--- .../test-iis-access.log-expected.json | 457 ++++++----- .../pipeline/test-ipv6zone.log-expected.json | 95 ++- ...t-x-forward-for-extended.log-expected.json | 616 +++++++------- .../test-x-forward-for.log-expected.json | 751 +++++++++--------- .../elasticsearch/ingest_pipeline/default.yml | 17 +- .../iis/data_stream/access/fields/ecs.yml | 14 + .../_dev/test/pipeline/test-common-config.yml | 2 - .../test-iis-error-72.log-expected.json | 288 ++++--- .../pipeline/test-iis-error.log-expected.json | 652 ++++++++------- .../test-ipv6-zone-id.log-expected.json | 45 +- .../elasticsearch/ingest_pipeline/default.yml | 3 - packages/iis/data_stream/error/fields/ecs.yml | 14 + packages/iis/docs/README.md | 14 + packages/iis/manifest.yml | 2 +- 18 files changed, 1807 insertions(+), 1873 deletions(-) diff --git a/packages/iis/changelog.yml b/packages/iis/changelog.yml index 6ad69ffba95..9595fe63329 100644 --- a/packages/iis/changelog.yml +++ b/packages/iis/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.8.3" + changes: + - description: Fix event.* field mappings + type: bugfix + link: https://github.com/elastic/integrations/pull/2890 - version: "0.8.2" changes: - description: Regenerate test files using the new GeoIP database diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-common-config.yml b/packages/iis/data_stream/access/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-common-config.yml +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json index 4d00d27202c..4caf0915a1e 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json @@ -1,357 +1,342 @@ { "expected": [ { - "temp": {}, + "@timestamp": "2018-12-31T12:02:53.000Z", "destination": { - "port": 8080, "address": "10.44.0.136", - "ip": "10.44.0.136" + "ip": "10.44.0.136", + "port": 8080 }, - "source": { - "address": "10.50.6.188", - "ip": "10.50.6.188" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe", - "extension": "exe", - "original": "/pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe", - "query": "/c dir c:\\ /OG" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 0", + "outcome": "failure", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 404 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 64 } }, - "@timestamp": "2018-12-31T12:02:53.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.50.6.188", "10.44.0.136" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 404 - } + "source": { + "address": "10.50.6.188", + "ip": "10.50.6.188" }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:45.758473813Z", - "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 0", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe", + "path": "/pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe", + "query": "/c dir c:\\ /OG" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "IE", "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "os": { + "full": "Windows XP", "name": "Windows", - "version": "XP", - "full": "Windows XP" - }, - "device": { - "name": "Other" + "version": "XP" }, "version": "8.0" } }, { - "temp": {}, + "@timestamp": "2018-12-31T12:02:53.000Z", "destination": { - "port": 8080, "address": "10.44.0.136", - "ip": "10.44.0.136" + "ip": "10.44.0.136", + "port": 8080 }, - "source": { - "address": "10.50.6.188", - "ip": "10.50.6.188" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe", - "extension": "exe", - "original": "/pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe", - "query": "/c dir c:\\ /OG" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 46", + "outcome": "failure", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 404 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 2 } }, - "@timestamp": "2018-12-31T12:02:53.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.50.6.188", "10.44.0.136" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 404 - } + "source": { + "address": "10.50.6.188", + "ip": "10.50.6.188" }, - "event": { - "duration": 46000000, - "ingested": "2021-12-14T14:46:45.758476211Z", - "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 46", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe", + "path": "/pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe", + "query": "/c dir c:\\ /OG" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "IE", "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "os": { + "full": "Windows XP", "name": "Windows", - "version": "XP", - "full": "Windows XP" - }, - "device": { - "name": "Other" + "version": "XP" }, "version": "8.0" } }, { - "temp": {}, + "@timestamp": "2018-12-31T12:02:53.000Z", "destination": { - "port": 443, "address": "10.44.0.136", - "ip": "10.44.0.136" + "ip": "10.44.0.136", + "port": 443 }, - "source": { - "address": "10.50.6.188", - "ip": "10.50.6.188" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Director", - "original": "/Director" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-12-31 12:02:53 10.44.0.136 GET /Director - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", + "outcome": "failure", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 401 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2018-12-31T12:02:53.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.50.6.188", "10.44.0.136" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 401 - } + "source": { + "address": "10.50.6.188", + "ip": "10.50.6.188" }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:45.758476649Z", - "original": "2018-12-31 12:02:53 10.44.0.136 GET /Director - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Director", + "path": "/Director" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "IE", "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "os": { + "full": "Windows XP", "name": "Windows", - "version": "XP", - "full": "Windows XP" - }, - "device": { - "name": "Other" + "version": "XP" }, "version": "8.0" } }, { - "temp": {}, + "@timestamp": "2018-12-31T12:02:53.000Z", "destination": { - "port": 443, "address": "10.44.0.136", - "ip": "10.44.0.136" + "ip": "10.44.0.136", + "port": 443 }, - "source": { - "address": "10.50.6.188", - "ip": "10.50.6.188" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/", - "original": "/" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-12-31 12:02:53 10.44.0.136 GET / - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", + "outcome": "failure", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 401 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2018-12-31T12:02:53.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.50.6.188", "10.44.0.136" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 401 - } + "source": { + "address": "10.50.6.188", + "ip": "10.50.6.188" }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:45.758477019Z", - "original": "2018-12-31 12:02:53 10.44.0.136 GET / - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/", + "path": "/" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "IE", "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "os": { + "full": "Windows XP", "name": "Windows", - "version": "XP", - "full": "Windows XP" - }, - "device": { - "name": "Other" + "version": "XP" }, "version": "8.0" } }, { - "temp": {}, + "@timestamp": "2018-12-31T12:02:53.000Z", "destination": { - "port": 8080, "address": "10.44.0.136", - "ip": "10.44.0.136" + "ip": "10.44.0.136", + "port": 8080 }, - "source": { - "address": "10.50.6.188", - "ip": "10.50.6.188" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", - "extension": "exe", - "original": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", - "query": "/c dir c:\\ /OG" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15", + "outcome": "failure", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 404 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 64 } }, - "@timestamp": "2018-12-31T12:02:53.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.50.6.188", "10.44.0.136" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 404 - } + "source": { + "address": "10.50.6.188", + "ip": "10.50.6.188" }, - "event": { - "duration": 15000000, - "ingested": "2021-12-14T14:46:45.758477459Z", - "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "path": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "query": "/c dir c:\\ /OG" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "IE", "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "os": { + "full": "Windows XP", "name": "Windows", - "version": "XP", - "full": "Windows XP" - }, - "device": { - "name": "Other" + "version": "XP" }, "version": "8.0" } diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json index 2e2edcb66ca..6d143d1851b 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json @@ -1,253 +1,241 @@ { "expected": [ { - "temp": {}, + "@timestamp": "2018-08-28T18:24:25.000Z", "destination": { - "port": 80, "address": "10.100.220.70", - "ip": "10.100.220.70" + "ip": "10.100.220.70", + "port": 80 }, - "source": { - "address": "10.100.118.31", - "ip": "10.100.118.31" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/", - "original": "/" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792", + "outcome": "failure", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 404 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 4, "win32_status": 2 } }, - "@timestamp": "2018-08-28T18:24:25.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.100.118.31", "10.100.220.70" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 404 - } + "source": { + "address": "10.100.118.31", + "ip": "10.100.118.31" }, - "event": { - "duration": 792000000, - "ingested": "2021-12-14T14:46:46.663915440Z", - "original": "2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/", + "path": "/" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "IE", "original": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR[ 2.0.50727](tel: 2050727); .NET CLR 3.0.30729)", "os": { + "full": "Windows 8.1", "name": "Windows", - "version": "8.1", - "full": "Windows 8.1" - }, - "device": { - "name": "Other" + "version": "8.1" }, "version": "11.0" } }, { - "temp": {}, + "@timestamp": "2019-03-06T18:43:17.000Z", "destination": { - "port": 80, "address": "10.0.140.107", - "ip": "10.0.140.107" + "ip": "10.0.140.107", + "port": 80 }, - "source": { - "address": "10.0.140.2", - "ip": "10.0.140.2" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/health-monitoring", - "original": "/health-monitoring" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2019-03-06T18:43:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.0.140.2", "10.0.140.107" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "10.0.140.2", + "ip": "10.0.140.2" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/health-monitoring", + "path": "/health-monitoring" + } + }, + { + "@timestamp": "2019-03-06T18:43:17.000Z", + "destination": { + "address": "10.0.140.107", + "ip": "10.0.140.107", + "port": 80 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "duration": 15000000, - "ingested": "2021-12-14T14:46:46.663932266Z", - "original": "2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15", - "kind": "event", "category": [ "web", "network" ], + "kind": "event", + "original": "2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15", + "outcome": "success", "type": [ "connection" - ], - "outcome": "success" - } - }, - { - "temp": {}, - "destination": { - "port": 80, - "address": "10.0.140.107", - "ip": "10.0.140.107" - }, - "source": { - "address": "10.0.140.2", - "ip": "10.0.140.2" + ] }, - "url": { - "path": "/health-monitoring", - "original": "/health-monitoring" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2019-03-06T18:43:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.0.140.2", "10.0.140.107" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "10.0.140.2", + "ip": "10.0.140.2" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/health-monitoring", + "path": "/health-monitoring" + } + }, + { + "@timestamp": "2019-03-06T18:43:17.000Z", + "destination": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 80 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "duration": 15000000, - "ingested": "2021-12-14T14:46:46.663932660Z", - "original": "2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15", - "kind": "event", "category": [ "web", "network" ], + "kind": "event", + "original": "2019-03-06 18:43:17 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /health-monitoring - 80 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - 200 0 0 15", + "outcome": "success", "type": [ "connection" - ], - "outcome": "success" - } - }, - { - "temp": {}, - "destination": { - "port": 80, - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] }, - "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Norway", - "location": { - "lon": 10.0, - "lat": 62.0 - }, - "country_iso_code": "NO" + "http": { + "request": { + "method": "GET" }, - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "url": { - "path": "/health-monitoring", - "original": "/health-monitoring" + "response": { + "status_code": 200 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2019-03-06T18:43:17.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, - "http": { - "request": { - "method": "GET" + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62, + "lon": 10 + } }, - "response": { - "status_code": 200 - } + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, - "event": { - "duration": 15000000, - "ingested": "2021-12-14T14:46:46.663932997Z", - "original": "2019-03-06 18:43:17 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /health-monitoring - 80 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - 200 0 0 15", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/health-monitoring", + "path": "/health-monitoring" } } ] diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json index 9ce001bd959..8c165a1d4c9 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json @@ -1,128 +1,108 @@ { "expected": [ { - "temp": {}, + "@timestamp": "2018-01-01T08:09:10.000Z", "destination": { - "port": 80, "address": "127.0.0.1", - "ip": "127.0.0.1" + "ip": "127.0.0.1", + "port": 80 }, - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "address": "67.43.156.13", - "ip": "67.43.156.13" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/", - "original": "/", - "query": "q=100" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 67.43.156.13 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2018-01-01T08:09:10.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.13", "127.0.0.1" ] }, - "http": { - "request": { - "method": "GET" + "source": { + "address": "67.43.156.13", + "as": { + "number": 35908 }, - "response": { - "status_code": 200 - } + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13" }, - "event": { - "duration": 123000000, - "ingested": "2021-12-14T14:46:47.087874836Z", - "original": "2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 67.43.156.13 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/", + "path": "/", + "query": "q=100" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Firefox", "original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0", "os": { + "full": "Windows 7", "name": "Windows", - "version": "7", - "full": "Windows 7" - }, - "device": { - "name": "Other" + "version": "7" }, "version": "57.0." } }, { - "temp": {}, + "@timestamp": "2018-01-01T09:10:11.000Z", "destination": { - "port": 80, - "domain": "example.com" - }, - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "url": { - "path": "/", - "original": "/", - "domain": "example.com" - }, - "tags": [ - "preserve_original_event" - ], - "iis": { - "access": { - "site_name": "W3SVC1", - "sub_status": 0, - "win32_status": 0 - } + "domain": "example.com", + "port": 80 }, - "@timestamp": "2018-01-01T09:10:11.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "127.0.0.1" - ] + "event": { + "category": [ + "web" + ], + "kind": "event", + "original": "2018-01-01 09:10:11 W3SVC1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - - example.com 200 0 0 123 456 789", + "outcome": "success" }, "http": { "request": { - "method": "GET", "body": { "bytes": 456 - } + }, + "method": "GET" }, "response": { "body": { @@ -131,259 +111,264 @@ "status_code": 200 } }, - "event": { - "duration": 789000000, - "ingested": "2021-12-14T14:46:47.087877193Z", - "original": "2018-01-01 09:10:11 W3SVC1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - - example.com 200 0 0 123 456 789", - "category": [ - "web" - ], - "kind": "event", - "outcome": "success" + "iis": { + "access": { + "site_name": "W3SVC1", + "sub_status": 0, + "win32_status": 0 + } + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "example.com", + "original": "/", + "path": "/" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Firefox", "original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0", "os": { + "full": "Windows 7", "name": "Windows", - "version": "7", - "full": "Windows 7" - }, - "device": { - "name": "Other" + "version": "7" }, "version": "57.0." } }, { - "temp": {}, + "@timestamp": "2018-01-01T10:11:12.000Z", "destination": { "address": "127.0.0.1", - "port": 80, "domain": "example.com", - "ip": "127.0.0.1" + "ip": "127.0.0.1", + "port": 80 }, - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 67.43.156.13 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "body": { + "bytes": 456 }, - "country_iso_code": "BT" + "method": "GET" }, - "as": { - "number": 35908 + "response": { + "body": { + "bytes": 123 + }, + "status_code": 200 }, - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "url": { - "path": "/", - "original": "/", - "domain": "example.com" + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { - "site_name": "W3SVC1", "server_name": "MACHINE-NAME", + "site_name": "W3SVC1", "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2018-01-01T10:11:12.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.13", "127.0.0.1" ] }, - "http": { - "request": { - "method": "GET", - "body": { - "bytes": 456 + "source": { + "address": "67.43.156.13", + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 } }, - "version": "1.1", - "response": { - "body": { - "bytes": 123 - }, - "status_code": 200 - } + "ip": "67.43.156.13" }, - "event": { - "duration": 789000000, - "ingested": "2021-12-14T14:46:47.087877641Z", - "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 67.43.156.13 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "example.com", + "original": "/", + "path": "/" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Chrome", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "os": { + "full": "Mac OS X 10.14.0", "name": "Mac OS X", - "version": "10.14.0", - "full": "Mac OS X 10.14.0" - }, - "device": { - "name": "Mac" + "version": "10.14.0" }, "version": "70.0.3538.102" } }, { - "temp": {}, + "@timestamp": "2018-12-31T12:52:33.000Z", "destination": { - "port": 443, "address": "10.44.0.136", - "ip": "10.44.0.136" + "ip": "10.44.0.136", + "port": 443 }, - "source": { - "address": "10.50.6.188", - "ip": "10.50.6.188" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/", - "original": "/", - "query": "redirect:${#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#webroot=#req.getSession().getServletContext().getRealPath('/'),#resp.println(#webroot),#resp.flush(),#resp.close()}" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-12-31 12:52:33 10.44.0.136 GET / redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.getSession().getServletContext().getRealPath('/'),%23resp.println(%23webroot),%23resp.flush(),%23resp.close()} 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", + "outcome": "failure", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 401 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2018-12-31T12:52:33.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.50.6.188", "10.44.0.136" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 401 - } + "source": { + "address": "10.50.6.188", + "ip": "10.50.6.188" }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:47.087877995Z", - "original": "2018-12-31 12:52:33 10.44.0.136 GET / redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.getSession().getServletContext().getRealPath('/'),%23resp.println(%23webroot),%23resp.flush(),%23resp.close()} 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/", + "path": "/", + "query": "redirect:${#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#webroot=#req.getSession().getServletContext().getRealPath('/'),#resp.println(#webroot),#resp.flush(),#resp.close()}" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "IE", "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "os": { + "full": "Windows XP", "name": "Windows", - "version": "XP", - "full": "Windows XP" - }, - "device": { - "name": "Other" + "version": "XP" }, "version": "8.0" } }, { - "temp": {}, + "@timestamp": "2018-12-31T12:52:33.000Z", "destination": { - "port": 443, "address": "10.44.0.136", - "ip": "10.44.0.136" + "ip": "10.44.0.136", + "port": 443 }, - "source": { - "address": "10.50.6.188", - "ip": "10.50.6.188" + "ecs": { + "version": "1.12.0" }, - "url": { - "original": "/${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-12-31 12:52:33 10.44.0.136 GET /${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 0", + "outcome": "failure", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 404 + } }, - "tags": [ - "preserve_original_event" - ], "iis": { "access": { "sub_status": 0, "win32_status": 2 } }, - "@timestamp": "2018-12-31T12:52:33.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "10.50.6.188", "10.44.0.136" ] }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 404 - } + "source": { + "address": "10.50.6.188", + "ip": "10.50.6.188" }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:47.087878356Z", - "original": "2018-12-31 12:52:33 10.44.0.136 GET /${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 0", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "IE", "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "os": { + "full": "Windows XP", "name": "Windows", - "version": "XP", - "full": "Windows XP" - }, - "device": { - "name": "Other" + "version": "XP" }, "version": "8.0" } diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json index 6e5865fd684..0629ba9633b 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json @@ -1,82 +1,79 @@ { "expected": [ { - "temp": {}, + "@timestamp": "2018-01-01T10:11:12.000Z", "destination": { "address": "::1%0", - "port": 80, "domain": "example.com", - "ip": "::1" - }, - "source": { - "address": "::1%0", - "ip": "::1" - }, - "url": { - "path": "/", - "original": "/", - "domain": "example.com" - }, - "tags": [ - "preserve_original_event" - ], - "iis": { - "access": { - "site_name": "W3SVC1", - "server_name": "MACHINE-NAME", - "sub_status": 0, - "win32_status": 0 - } + "ip": "::1", + "port": 80 }, - "@timestamp": "2018-01-01T10:11:12.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "::1", - "::1" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME ::1%0 GET / - 80 - ::1%0 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", + "outcome": "success", + "type": [ + "connection" ] }, "http": { "request": { - "method": "GET", "body": { "bytes": 456 - } + }, + "method": "GET" }, - "version": "1.1", "response": { "body": { "bytes": 123 }, "status_code": 200 + }, + "version": "1.1" + }, + "iis": { + "access": { + "server_name": "MACHINE-NAME", + "site_name": "W3SVC1", + "sub_status": 0, + "win32_status": 0 } }, - "event": { - "duration": 789000000, - "ingested": "2021-12-14T14:46:48.042607327Z", - "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME ::1%0 GET / - 80 - ::1%0 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "related": { + "ip": [ + "::1", + "::1" + ] + }, + "source": { + "address": "::1%0", + "ip": "::1" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "example.com", + "original": "/", + "path": "/" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Chrome", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "os": { + "full": "Mac OS X 10.14.0", "name": "Mac OS X", - "version": "10.14.0", - "full": "Mac OS X 10.14.0" - }, - "device": { - "name": "Mac" + "version": "10.14.0" }, "version": "70.0.3538.102" } diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json index 6202cfd086c..3a1061f4de8 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json @@ -1,126 +1,136 @@ { "expected": [ { - "temp": {}, + "@timestamp": "2020-10-04T22:00:34.000Z", "destination": { "address": "10.24.129.162", - "port": 80, "domain": "images.hogeschoolrotterdam.nl", - "ip": "10.24.129.162" - }, - "source": { - "address": "10.24.136.240", - "ip": "10.24.136.240" - }, - "url": { - "path": "/favicon.ico", - "extension": "ico", - "original": "/favicon.ico", - "domain": "images.hogeschoolrotterdam.nl" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "67.43.156.14" - }, - "iis": { - "access": { - "site_name": "W3SVC2", - "server_name": "freca1", - "sub_status": 0, - "win32_status": 2 - } + "ip": "10.24.129.162", + "port": 80 }, - "@timestamp": "2020-10-04T22:00:34.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.24.136.240", - "10.24.129.162" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-04 22:00:34 W3SVC2 freca1 10.24.129.162 GET /favicon.ico - 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - https://images.hogeschoolrotterdam.nl/Blob/adeec119008c48758c1a6be53aeeb2ac/34ff475072d54117bcb46ea7f023bd87.jpg?width=1200\u0026height=630\u0026mode=crop images.hogeschoolrotterdam.nl 404 0 2 1437 534 0 67.43.156.14", + "outcome": "failure", + "type": [ + "connection" ] }, "http": { "request": { - "method": "GET", "body": { "bytes": 534 }, + "method": "GET", "referrer": "https://images.hogeschoolrotterdam.nl/Blob/adeec119008c48758c1a6be53aeeb2ac/34ff475072d54117bcb46ea7f023bd87.jpg?width=1200\u0026height=630\u0026mode=crop" }, - "version": "1.1", "response": { "body": { "bytes": 1437 }, "status_code": 404 + }, + "version": "1.1" + }, + "iis": { + "access": { + "server_name": "freca1", + "site_name": "W3SVC2", + "sub_status": 0, + "win32_status": 2 } }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:48.252503682Z", - "original": "2020-10-04 22:00:34 W3SVC2 freca1 10.24.129.162 GET /favicon.ico - 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - https://images.hogeschoolrotterdam.nl/Blob/adeec119008c48758c1a6be53aeeb2ac/34ff475072d54117bcb46ea7f023bd87.jpg?width=1200\u0026height=630\u0026mode=crop images.hogeschoolrotterdam.nl 404 0 2 1437 534 0 67.43.156.14", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "failure" + "network": { + "forwarded_ip": "67.43.156.14" + }, + "related": { + "ip": [ + "10.24.136.240", + "10.24.129.162" + ] + }, + "source": { + "address": "10.24.136.240", + "ip": "10.24.136.240" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "images.hogeschoolrotterdam.nl", + "extension": "ico", + "original": "/favicon.ico", + "path": "/favicon.ico" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Firefox", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "81.0." } }, { - "temp": {}, + "@timestamp": "2020-10-05T21:40:30.000Z", "destination": { "address": "10.24.129.162", - "port": 80, "domain": "images.hogeschoolrotterdam.nl", - "ip": "10.24.129.162" + "ip": "10.24.129.162", + "port": 80 }, - "source": { - "address": "10.24.136.240", - "ip": "10.24.136.240" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/robots.txt", - "extension": "txt", - "original": "/robots.txt", - "domain": "images.hogeschoolrotterdam.nl" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-05 21:40:30 W3SVC2 freca1 10.24.129.162 GET /robots.txt - 80 - 10.24.136.240 HTTP/1.1 Twitterbot/1.0 - - images.hogeschoolrotterdam.nl 200 0 0 346 306 0 67.43.156.14", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "67.43.156.14" + "http": { + "request": { + "body": { + "bytes": 306 + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 346 + }, + "status_code": 200 + }, + "version": "1.1" }, "iis": { "access": { - "site_name": "W3SVC2", "server_name": "freca1", + "site_name": "W3SVC2", "sub_status": 0, "win32_status": 0 } }, - "@timestamp": "2020-10-05T21:40:30.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "67.43.156.14" }, "related": { "ip": [ @@ -128,392 +138,364 @@ "10.24.129.162" ] }, - "http": { - "request": { - "method": "GET", - "body": { - "bytes": 306 - } - }, - "version": "1.1", - "response": { - "body": { - "bytes": 346 - }, - "status_code": 200 - } + "source": { + "address": "10.24.136.240", + "ip": "10.24.136.240" }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:48.252506257Z", - "original": "2020-10-05 21:40:30 W3SVC2 freca1 10.24.129.162 GET /robots.txt - 80 - 10.24.136.240 HTTP/1.1 Twitterbot/1.0 - - images.hogeschoolrotterdam.nl 200 0 0 346 306 0 67.43.156.14", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "images.hogeschoolrotterdam.nl", + "extension": "txt", + "original": "/robots.txt", + "path": "/robots.txt" }, "user_agent": { - "name": "Twitterbot", - "original": "Twitterbot/1.0", "device": { "name": "Spider" }, + "name": "Twitterbot", + "original": "Twitterbot/1.0", "version": "1.0" } }, { - "temp": {}, + "@timestamp": "2020-10-05T21:48:33.000Z", "destination": { "address": "10.24.129.162", - "port": 80, - "domain": "images.hogeschoolrotterdam.nl", - "ip": "10.24.129.162" - }, - "source": { - "address": "10.24.136.240", - "ip": "10.24.136.240" - }, - "url": { - "path": "/app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg", - "extension": "jpg", - "original": "/app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg", "domain": "images.hogeschoolrotterdam.nl", - "query": "width=35\u0026height=38\u0026mode=crop" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "67.43.156.14" - }, - "iis": { - "access": { - "site_name": "W3SVC2", - "server_name": "freca1", - "cookie": "BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000", - "sub_status": 0, - "win32_status": 0 - } + "ip": "10.24.129.162", + "port": 80 }, - "@timestamp": "2020-10-05T21:48:33.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.24.136.240", - "10.24.129.162" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg width=35\u0026height=38\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2007 581 15 67.43.156.14", + "outcome": "success", + "type": [ + "connection" ] }, "http": { "request": { - "method": "GET", "body": { "bytes": 581 }, + "method": "GET", "referrer": "https://www.rotterdamuas.com/" }, - "version": "1.1", "response": { "body": { "bytes": 2007 }, "status_code": 200 + }, + "version": "1.1" + }, + "iis": { + "access": { + "cookie": "BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000", + "server_name": "freca1", + "site_name": "W3SVC2", + "sub_status": 0, + "win32_status": 0 } }, - "event": { - "duration": 15000000, - "ingested": "2021-12-14T14:46:48.252506775Z", - "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg width=35\u0026height=38\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2007 581 15 67.43.156.14", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "network": { + "forwarded_ip": "67.43.156.14" + }, + "related": { + "ip": [ + "10.24.136.240", + "10.24.129.162" + ] + }, + "source": { + "address": "10.24.136.240", + "ip": "10.24.136.240" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "images.hogeschoolrotterdam.nl", + "extension": "jpg", + "original": "/app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg", + "path": "/app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg", + "query": "width=35\u0026height=38\u0026mode=crop" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Edge", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "18.18362" } }, { - "temp": {}, + "@timestamp": "2020-10-05T21:48:33.000Z", "destination": { "address": "10.24.129.162", - "port": 80, "domain": "images.hogeschoolrotterdam.nl", - "ip": "10.24.129.162" + "ip": "10.24.129.162", + "port": 80 }, - "source": { - "address": "10.24.136.240", - "ip": "10.24.136.240" - }, - "url": { - "path": "/app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg", - "extension": "jpg", - "original": "/app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg", - "domain": "images.hogeschoolrotterdam.nl", - "query": "width=75\u0026height=40\u0026mode=crop" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "67.43.156.14" - }, - "iis": { - "access": { - "site_name": "W3SVC2", - "server_name": "freca1", - "cookie": "BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000", - "sub_status": 0, - "win32_status": 0 - } - }, - "@timestamp": "2020-10-05T21:48:33.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.24.136.240", - "10.24.129.162" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg width=75\u0026height=40\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2926 581 0 67.43.156.14", + "outcome": "success", + "type": [ + "connection" ] }, "http": { "request": { - "method": "GET", "body": { "bytes": 581 }, + "method": "GET", "referrer": "https://www.rotterdamuas.com/" }, - "version": "1.1", "response": { "body": { "bytes": 2926 }, "status_code": 200 + }, + "version": "1.1" + }, + "iis": { + "access": { + "cookie": "BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000", + "server_name": "freca1", + "site_name": "W3SVC2", + "sub_status": 0, + "win32_status": 0 } }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:48.252507180Z", - "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg width=75\u0026height=40\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2926 581 0 67.43.156.14", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "network": { + "forwarded_ip": "67.43.156.14" + }, + "related": { + "ip": [ + "10.24.136.240", + "10.24.129.162" + ] + }, + "source": { + "address": "10.24.136.240", + "ip": "10.24.136.240" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "images.hogeschoolrotterdam.nl", + "extension": "jpg", + "original": "/app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg", + "path": "/app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg", + "query": "width=75\u0026height=40\u0026mode=crop" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Edge", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "18.18362" } }, { - "temp": {}, + "@timestamp": "2020-10-08T22:00:22.000Z", "destination": { "address": "10.24.129.162", - "port": 80, - "domain": "images.hogeschoolrotterdam.nl", - "ip": "10.24.129.162" - }, - "source": { - "address": "10.24.136.240", - "ip": "10.24.136.240" - }, - "url": { - "path": "/Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png", - "extension": "png", - "original": "/Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png", "domain": "images.hogeschoolrotterdam.nl", - "query": "width=60\u0026height=20\u0026mode=crop" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "67.43.156.14" + "ip": "10.24.129.162", + "port": 80 }, - "iis": { - "access": { - "site_name": "W3SVC2", - "server_name": "freca1", - "cookie": "imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379", - "sub_status": 0, - "win32_status": 0 - } - }, - "@timestamp": "2020-10-08T22:00:22.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.24.136.240", - "10.24.129.162" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 15 67.43.156.14", + "outcome": "success", + "type": [ + "connection" ] }, "http": { "request": { - "method": "GET", "body": { "bytes": 979 }, + "method": "GET", "referrer": "https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/" }, - "version": "1.1", "response": { "body": { "bytes": 388 }, "status_code": 304 + }, + "version": "1.1" + }, + "iis": { + "access": { + "cookie": "imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379", + "server_name": "freca1", + "site_name": "W3SVC2", + "sub_status": 0, + "win32_status": 0 } }, - "event": { - "duration": 15000000, - "ingested": "2021-12-14T14:46:48.252507584Z", - "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 15 67.43.156.14", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "network": { + "forwarded_ip": "67.43.156.14" + }, + "related": { + "ip": [ + "10.24.136.240", + "10.24.129.162" + ] + }, + "source": { + "address": "10.24.136.240", + "ip": "10.24.136.240" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "images.hogeschoolrotterdam.nl", + "extension": "png", + "original": "/Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png", + "path": "/Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png", + "query": "width=60\u0026height=20\u0026mode=crop" }, "user_agent": { + "device": { + "name": "iPhone" + }, "name": "Mobile Safari", "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1", "os": { + "full": "iOS 13.7", "name": "iOS", - "version": "13.7", - "full": "iOS 13.7" - }, - "device": { - "name": "iPhone" + "version": "13.7" }, "version": "13.1.2" } }, { - "temp": {}, + "@timestamp": "2020-10-08T22:00:22.000Z", "destination": { "address": "10.24.129.162", - "port": 80, "domain": "images.hogeschoolrotterdam.nl", - "ip": "10.24.129.162" - }, - "source": { - "address": "10.24.136.240", - "ip": "10.24.136.240" + "ip": "10.24.129.162", + "port": 80 }, - "url": { - "path": "/Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg", - "extension": "jpg", - "original": "/Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg", - "domain": "images.hogeschoolrotterdam.nl", - "query": "width=60\u0026height=20\u0026mode=crop" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "67.43.156.14" - }, - "iis": { - "access": { - "site_name": "W3SVC2", - "server_name": "freca1", - "cookie": "imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379", - "sub_status": 0, - "win32_status": 0 - } - }, - "@timestamp": "2020-10-08T22:00:22.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "10.24.136.240", - "10.24.129.162" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 0 67.43.156.14", + "outcome": "success", + "type": [ + "connection" ] }, "http": { "request": { - "method": "GET", "body": { "bytes": 979 }, + "method": "GET", "referrer": "https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/" }, - "version": "1.1", "response": { "body": { "bytes": 388 }, "status_code": 304 + }, + "version": "1.1" + }, + "iis": { + "access": { + "cookie": "imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379", + "server_name": "freca1", + "site_name": "W3SVC2", + "sub_status": 0, + "win32_status": 0 } }, - "event": { - "duration": 0, - "ingested": "2021-12-14T14:46:48.252507970Z", - "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 0 67.43.156.14", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "network": { + "forwarded_ip": "67.43.156.14" + }, + "related": { + "ip": [ + "10.24.136.240", + "10.24.129.162" + ] + }, + "source": { + "address": "10.24.136.240", + "ip": "10.24.136.240" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "images.hogeschoolrotterdam.nl", + "extension": "jpg", + "original": "/Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg", + "path": "/Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg", + "query": "width=60\u0026height=20\u0026mode=crop" }, "user_agent": { + "device": { + "name": "iPhone" + }, "name": "Mobile Safari", "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1", "os": { + "full": "iOS 13.7", "name": "iOS", - "version": "13.7", - "full": "iOS 13.7" - }, - "device": { - "name": "iPhone" + "version": "13.7" }, "version": "13.1.2" } diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json index 1fced876992..dce159bf7ed 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json @@ -1,25 +1,35 @@ { "expected": [ { - "temp": {}, + "@timestamp": "2020-10-07T23:00:17.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals", - "original": "/Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 26 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "POST", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -27,9 +37,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:00:17.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -37,63 +46,61 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "POST", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 26000000, - "ingested": "2021-12-14T14:46:49.526779223Z", - "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 26 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals", + "path": "/Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } }, { - "temp": {}, + "@timestamp": "2020-10-07T23:00:17.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals", - "original": "/Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "POST", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -101,9 +108,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:00:17.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -111,63 +117,61 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "POST", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 32000000, - "ingested": "2021-12-14T14:46:49.526782023Z", - "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals", + "path": "/Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } }, { - "temp": {}, + "@timestamp": "2020-10-07T23:00:17.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals", - "original": "/Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 46 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "POST", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -175,9 +179,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:00:17.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -185,64 +188,61 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "POST", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 46000000, - "ingested": "2021-12-14T14:46:49.526782477Z", - "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 46 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals", + "path": "/Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } }, { - "temp": {}, + "@timestamp": "2020-10-07T23:00:17.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/data/finance/legacy/GLAPAprvMaster", - "original": "/Production-UI/data/finance/legacy/GLAPAprvMaster", - "query": "$filter=BatchId eq 'FY21HSNG0820'\u0026$orderby=Subsys,Ref\u0026$skip=0\u0026$top=20" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLAPAprvMaster $filter=BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=Subsys,Ref\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "GET", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -250,9 +250,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:00:17.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -260,64 +259,62 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "GET", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 32000000, - "ingested": "2021-12-14T14:46:49.526782875Z", - "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLAPAprvMaster $filter=BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=Subsys,Ref\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/data/finance/legacy/GLAPAprvMaster", + "path": "/Production-UI/data/finance/legacy/GLAPAprvMaster", + "query": "$filter=BatchId eq 'FY21HSNG0820'\u0026$orderby=Subsys,Ref\u0026$skip=0\u0026$top=20" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } }, { - "temp": {}, + "@timestamp": "2020-10-07T23:00:17.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/data/finance/legacy/GLATrnsDetail", - "original": "/Production-UI/data/finance/legacy/GLATrnsDetail", - "query": "$filter=Subsys eq 'JE' and Ref eq 'HSNG08-MR' and BatchId eq 'FY21HSNG0820'\u0026$orderby=RecNo\u0026$skip=0\u0026$top=20" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLATrnsDetail $filter=Subsys%20eq%20%27JE%27%20and%20Ref%20eq%20%27HSNG08-MR%27%20and%20BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=RecNo\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 166 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "GET", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -325,9 +322,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:00:17.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -335,63 +331,62 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "GET", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 166000000, - "ingested": "2021-12-14T14:46:49.526783256Z", - "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLATrnsDetail $filter=Subsys%20eq%20%27JE%27%20and%20Ref%20eq%20%27HSNG08-MR%27%20and%20BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=RecNo\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 166 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/data/finance/legacy/GLATrnsDetail", + "path": "/Production-UI/data/finance/legacy/GLATrnsDetail", + "query": "$filter=Subsys eq 'JE' and Ref eq 'HSNG08-MR' and BatchId eq 'FY21HSNG0820'\u0026$orderby=RecNo\u0026$skip=0\u0026$top=20" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } }, { - "temp": {}, + "@timestamp": "2020-10-07T23:06:42.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB", - "original": "/Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:06:42 192.168.16.11 GET /Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 60 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "GET", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -399,9 +394,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:06:42.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -409,63 +403,61 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "GET", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 60000000, - "ingested": "2021-12-14T14:46:49.526783625Z", - "original": "2020-10-07 23:06:42 192.168.16.11 GET /Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 60 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB", + "path": "/Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } }, { - "temp": {}, + "@timestamp": "2020-10-07T23:06:42.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/", - "original": "/Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 72 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "POST", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -473,9 +465,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:06:42.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -483,63 +474,61 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "POST", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 72000000, - "ingested": "2021-12-14T14:46:49.526784018Z", - "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 72 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/", + "path": "/Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } }, { - "temp": {}, + "@timestamp": "2020-10-07T23:06:42.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/", - "original": "/Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 88 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "POST", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -547,9 +536,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:06:42.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -557,63 +545,61 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "POST", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 88000000, - "ingested": "2021-12-14T14:46:49.526784412Z", - "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 88 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/", + "path": "/Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } }, { - "temp": {}, + "@timestamp": "2020-10-07T23:07:02.000Z", "destination": { - "port": 443, "address": "192.168.16.11", - "ip": "192.168.16.11" + "ip": "192.168.16.11", + "port": 443 }, - "source": { - "address": "192.168.7.63", - "ip": "192.168.7.63" + "ecs": { + "version": "1.12.0" }, - "url": { - "path": "/Production-UI/api/finance/legacy/documents/attachDoc", - "original": "/Production-UI/api/finance/legacy/documents/attachDoc" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2020-10-07 23:07:02 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/attachDoc - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 286 192.168.198.23", + "outcome": "success", + "type": [ + "connection" + ] }, - "tags": [ - "preserve_original_event" - ], - "network": { - "forwarded_ip": "192.168.198.23" + "http": { + "request": { + "method": "POST", + "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" + }, + "response": { + "status_code": 200 + } }, "iis": { "access": { @@ -621,9 +607,8 @@ "win32_status": 0 } }, - "@timestamp": "2020-10-07T23:07:02.000Z", - "ecs": { - "version": "1.12.0" + "network": { + "forwarded_ip": "192.168.198.23" }, "related": { "ip": [ @@ -631,39 +616,27 @@ "192.168.16.11" ] }, - "http": { - "request": { - "method": "POST", - "referrer": "https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB" - }, - "response": { - "status_code": 200 - } + "source": { + "address": "192.168.7.63", + "ip": "192.168.7.63" }, - "event": { - "duration": 286000000, - "ingested": "2021-12-14T14:46:49.526784786Z", - "original": "2020-10-07 23:07:02 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/attachDoc - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 286 192.168.198.23", - "kind": "event", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/Production-UI/api/finance/legacy/documents/attachDoc", + "path": "/Production-UI/api/finance/legacy/documents/attachDoc" }, "user_agent": { + "device": { + "name": "Other" + }, "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { + "full": "Windows 10", "name": "Windows", - "version": "10", - "full": "Windows 10" - }, - "device": { - "name": "Other" + "version": "10" }, "version": "67.43.156.13" } diff --git a/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml index cda847d7d4e..a0b22477f1a 100644 --- a/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -2,9 +2,6 @@ description: Pipeline for parsing IIS access logs. Requires the geoip and user_agent plugins. processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '1.12.0' @@ -20,14 +17,14 @@ processors: (?:-|%{NOTSPACE:_temp_.url_path}) (?:-|%{NOTSPACE:_temp_.url_query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) - (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' + (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:_temp_.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:_temp_.url_path}) (?:-|%{NOTSPACE:_temp_.url_query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) (?:-|%{NUMBER:http.request.body.bytes:long}) - (?:-|%{NUMBER:temp.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' + (?:-|%{NUMBER:_temp_.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{NOTSPACE:iis.access.server_name}) (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:_temp_.url_path}) (?:-|%{NOTSPACE:_temp_.url_query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) @@ -35,17 +32,17 @@ processors: (?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) - (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:temp.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' + (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:_temp_.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' - '%{TIMESTAMP_ISO8601:iis.access.time} \[%{IPORHOST:destination.address}\]\(http://%{IPORHOST:destination.address}\) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:_temp_.url_path}) (?:-|%{NOTSPACE:_temp_.url_query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) \[%{IPORHOST:source.address}\]\(http://%{IPORHOST:source.address}\) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) - (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' + (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:_temp_.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:_temp_.url_path}) (?:-|%{NOTSPACE:_temp_.url_query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) - (?:-|%{NUMBER:temp.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' + (?:-|%{NUMBER:_temp_.duration:long})( (?:-|%{IPORHOST:network.forwarded_ip}))?' - uri_parts: field: _temp_.url_path ignore_failure: true @@ -81,12 +78,12 @@ processors: field: iis.access.time - script: lang: painless - source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) + source: ctx.event.duration = Math.round(ctx._temp_.duration * params.scale) params: scale: 1000000 if: ctx.temp?.duration != null - remove: - field: temp.duration + field: _temp_.duration ignore_missing: true - urldecode: field: user_agent.original diff --git a/packages/iis/data_stream/access/fields/ecs.yml b/packages/iis/data_stream/access/fields/ecs.yml index eaff9a24f6c..80a028d9cb0 100644 --- a/packages/iis/data_stream/access/fields/ecs.yml +++ b/packages/iis/data_stream/access/fields/ecs.yml @@ -92,3 +92,17 @@ name: user_agent.os.version - external: ecs name: user_agent.version +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: event.duration +- external: ecs + name: event.kind +- external: ecs + name: event.category +- external: ecs + name: event.type +- external: ecs + name: event.outcome diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-common-config.yml b/packages/iis/data_stream/error/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-common-config.yml +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json index 742c9994e92..1ff23789b4a 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json @@ -1,248 +1,244 @@ { "expected": [ { - "iis": { - "error": { - "reason_phrase": "ConnLimit" - } - }, "@timestamp": "2018-01-01T08:09:10.000Z", + "destination": { + "address": "172.31.77.6", + "ip": "172.31.77.6", + "port": 80 + }, "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "172.31.77.6", - "172.31.77.6" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-01-01 08:09:10 172.31.77.6 2094 172.31.77.6 80 HTTP/1.1 GET /qos/1kbfile.txt 503 - ConnLimit -", + "outcome": "failure", + "type": [ + "connection" ] }, - "destination": { - "port": 80, - "address": "172.31.77.6", - "ip": "172.31.77.6" - }, "http": { "request": { "method": "GET" }, - "version": "1.1", "response": { "status_code": 503 + }, + "version": "1.1" + }, + "iis": { + "error": { + "reason_phrase": "ConnLimit" } }, + "related": { + "ip": [ + "172.31.77.6", + "172.31.77.6" + ] + }, "source": { - "port": 2094, "address": "172.31.77.6", - "ip": "172.31.77.6" + "ip": "172.31.77.6", + "port": 2094 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "txt", + "original": "/qos/1kbfile.txt", + "path": "/qos/1kbfile.txt" + } + }, + { + "@timestamp": "2018-01-01T09:10:11.000Z", + "destination": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 80 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.146852766Z", - "original": "2018-01-01 08:09:10 172.31.77.6 2094 172.31.77.6 80 HTTP/1.1 GET /qos/1kbfile.txt 503 - ConnLimit -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-01-01 09:10:11 67.43.156.13 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "path": "/qos/1kbfile.txt", - "extension": "txt", - "original": "/qos/1kbfile.txt" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 400 + }, + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "Hostname" } }, - "@timestamp": "2018-01-01T09:10:11.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.13", "127.0.0.1" ] }, - "destination": { - "port": 80, - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "http": { - "request": { - "method": "GET" - }, - "version": "1.1", - "response": { - "status_code": 400 - } - }, "source": { + "address": "67.43.156.13", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" + "lat": 27.5, + "lon": 90.5 + } }, - "as": { - "number": 35908 - }, - "address": "67.43.156.13", - "port": 2780, - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "port": 2780 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "htm", + "original": "/ThisIsMyUrl.htm", + "path": "/ThisIsMyUrl.htm" + } + }, + { + "@timestamp": "2018-01-01T10:11:12.000Z", + "destination": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 80 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.146855078Z", - "original": "2018-01-01 09:10:11 67.43.156.13 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-01-01 10:11:12 67.43.156.13 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "path": "/ThisIsMyUrl.htm", - "extension": "htm", - "original": "/ThisIsMyUrl.htm" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 505 + }, + "version": "2.0" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "Version_N/S" } }, - "@timestamp": "2018-01-01T10:11:12.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.13", "127.0.0.1" ] }, - "destination": { - "port": 80, - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "http": { - "request": { - "method": "GET" - }, - "version": "2.0", - "response": { - "status_code": 505 - } - }, "source": { + "address": "67.43.156.13", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.13", - "port": 2894, - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "port": 2894 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/", + "path": "/" + } + }, + { + "@timestamp": "2018-01-01T11:12:13.000Z", + "destination": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 80 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.146855565Z", - "original": "2018-01-01 10:11:12 67.43.156.13 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-01-01 11:12:13 67.43.156.13 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" - }, - "url": { - "path": "/", - "original": "/" + ] }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "Timer_MinBytesPerSecond" } }, - "@timestamp": "2018-01-01T11:12:13.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.13", "127.0.0.1" ] }, - "destination": { - "port": 80, - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, "source": { + "address": "67.43.156.13", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.13", - "port": 64388, - "ip": "67.43.156.13" - }, - "event": { - "ingested": "2021-12-14T14:46:51.146855982Z", - "original": "2018-01-01 11:12:13 67.43.156.13 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "kind": "event" + "ip": "67.43.156.13", + "port": 64388 }, "tags": [ "preserve_original_event" diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json index c0fc6cecd03..6f6936660e1 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json @@ -1,548 +1,540 @@ { "expected": [ { - "iis": { - "error": { - "reason_phrase": "URL" - } - }, "@timestamp": "2018-05-05T05:05:55.000Z", + "destination": { + "address": "192.168.101.101", + "ip": "192.168.101.101", + "port": 443 + }, "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "67.43.156.15", - "192.168.101.101" + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -", + "outcome": "failure", + "type": [ + "connection" ] }, - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, "http": { "request": { "method": "t3" }, - "version": "0.9", "response": { "status_code": 400 + }, + "version": "0.9" + }, + "iis": { + "error": { + "reason_phrase": "URL" } }, + "related": { + "ip": [ + "67.43.156.15", + "192.168.101.101" + ] + }, "source": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.15", - "port": 12345, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "1", + "original": "12.2.1", + "path": "12.2.1" + } + }, + { + "@timestamp": "2018-05-05T05:05:55.000Z", + "destination": { + "address": "192.168.101.101", + "ip": "192.168.101.101", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.522819409Z", - "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "path": "12.2.1", - "extension": "1", - "original": "12.2.1" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 400 + }, + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "URL" } }, - "@timestamp": "2018-05-05T05:05:55.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.15", "192.168.101.101" ] }, - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "http": { - "request": { - "method": "GET" - }, - "version": "1.1", - "response": { - "status_code": 400 - } - }, "source": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.15", - "port": 12345, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "/", + "original": "./././././../../../../../../../../", + "path": "./././././../../../../../../../../" + } + }, + { + "@timestamp": "2018-05-05T05:05:55.000Z", + "destination": { + "address": "192.168.101.101", + "ip": "192.168.101.101", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.522822131Z", - "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /..\\pixfir~1\\how_to_login.html 403 - Forbidden -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "path": "./././././../../../../../../../../", - "extension": "/", - "original": "./././././../../../../../../../../" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 403 + }, + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "Forbidden" } }, - "@timestamp": "2018-05-05T05:05:55.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.15", "192.168.101.101" ] }, - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "http": { - "request": { - "method": "GET" - }, - "version": "1.1", - "response": { - "status_code": 403 - } - }, "source": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.15", - "port": 12345, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/..\\pixfir~1\\how_to_login.html" + } + }, + { + "@timestamp": "2018-05-05T05:05:55.000Z", + "destination": { + "address": "192.168.101.101", + "ip": "192.168.101.101", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.522822594Z", - "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /..\\pixfir~1\\how_to_login.html 403 - Forbidden -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ..\\..\\..\\..\\..\\..\\winnt\\win.ini 400 - URL -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "original": "/..\\pixfir~1\\how_to_login.html" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 400 + }, + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "URL" } }, - "@timestamp": "2018-05-05T05:05:55.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.15", "192.168.101.101" ] }, - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "http": { - "request": { - "method": "GET" - }, - "version": "1.1", - "response": { - "status_code": 400 - } - }, "source": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.15", - "port": 12345, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "..\\..\\..\\..\\..\\..\\winnt\\win.ini" + } + }, + { + "@timestamp": "2018-05-05T05:05:55.000Z", + "destination": { + "address": "192.168.101.101", + "ip": "192.168.101.101", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.522822966Z", - "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ..\\..\\..\\..\\..\\..\\winnt\\win.ini 400 - URL -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "original": "..\\..\\..\\..\\..\\..\\winnt\\win.ini" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 404 + }, + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "NotFound" } }, - "@timestamp": "2018-05-05T05:05:55.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.15", "192.168.101.101" ] }, - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "http": { - "request": { - "method": "GET" - }, - "version": "1.1", - "response": { - "status_code": 404 - } - }, "source": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.15", - "port": 12345, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "ini", + "original": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini", + "path": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini" + } + }, + { + "@timestamp": "2018-05-05T05:05:55.000Z", + "destination": { + "address": "192.168.101.101", + "ip": "192.168.101.101", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.522823320Z", - "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini 403 - Forbidden -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "path": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini", - "extension": "ini", - "original": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 403 + }, + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "Forbidden" } }, - "@timestamp": "2018-05-05T05:05:55.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.15", "192.168.101.101" ] }, - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "http": { - "request": { - "method": "GET" - }, - "version": "1.1", - "response": { - "status_code": 403 - } - }, "source": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.15", - "port": 12345, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "/nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini" + } + }, + { + "@timestamp": "2018-05-05T05:05:55.000Z", + "destination": { + "address": "192.168.101.101", + "ip": "192.168.101.101", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.522823679Z", - "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini 403 - Forbidden -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "original": "/nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini" + "http": { + "request": { + "method": "OPTIONS" + }, + "response": { + "status_code": 404 + }, + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "NotFound" } }, - "@timestamp": "2018-05-05T05:05:55.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.15", "192.168.101.101" ] }, - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "http": { - "request": { - "method": "OPTIONS" - }, - "version": "1.1", - "response": { - "status_code": 404 - } - }, "source": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, - "address": "67.43.156.15", - "port": 12345, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "*", + "path": "*" + } + }, + { + "@timestamp": "2018-05-05T05:05:55.000Z", + "destination": { + "address": "192.168.101.101", + "ip": "192.168.101.101", + "port": 443 + }, + "ecs": { + "version": "1.12.0" }, "event": { - "ingested": "2021-12-14T14:46:51.522824037Z", - "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -", "category": [ "web", "network" ], + "kind": "event", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /fee\u0026fie=foe 400 - URL -", + "outcome": "failure", "type": [ "connection" - ], - "kind": "event", - "outcome": "failure" + ] }, - "url": { - "path": "*", - "original": "*" + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 400 + }, + "version": "1.1" }, - "tags": [ - "preserve_original_event" - ] - }, - { "iis": { "error": { "reason_phrase": "URL" } }, - "@timestamp": "2018-05-05T05:05:55.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "67.43.156.15", "192.168.101.101" ] }, - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "http": { - "request": { - "method": "GET" - }, - "version": "1.1", - "response": { - "status_code": 400 - } - }, "source": { + "address": "67.43.156.15", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" + "lat": 27.5, + "lon": 90.5 + } }, - "as": { - "number": 35908 - }, - "address": "67.43.156.15", - "port": 12345, - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2021-12-14T14:46:51.522824411Z", - "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /fee\u0026fie=foe 400 - URL -", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "kind": "event", - "outcome": "failure" - }, - "url": { - "path": "/fee\u0026fie=foe", - "original": "/fee\u0026fie=foe" + "ip": "67.43.156.15", + "port": 12345 }, "tags": [ "preserve_original_event" - ] + ], + "url": { + "original": "/fee\u0026fie=foe", + "path": "/fee\u0026fie=foe" + } } ] } \ No newline at end of file diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json index 657967a2e13..59567955d26 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json @@ -1,42 +1,41 @@ { "expected": [ { + "@timestamp": "2018-12-30T14:22:07.000Z", + "destination": { + "address": "::1%0", + "ip": "::1", + "port": 80 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2018-12-30 14:22:07 ::1%0 49958 ::1%0 80 - - - - - - Timer_ConnectionIdle -", + "type": [ + "connection" + ] + }, "iis": { "error": { "reason_phrase": "Timer_ConnectionIdle" } }, - "@timestamp": "2018-12-30T14:22:07.000Z", - "ecs": { - "version": "1.12.0" - }, "related": { "ip": [ "::1", "::1" ] }, - "destination": { - "port": 80, - "address": "::1%0", - "ip": "::1" - }, "source": { - "port": 49958, "address": "::1%0", - "ip": "::1" - }, - "event": { - "ingested": "2021-12-14T14:46:52.366866064Z", - "original": "2018-12-30 14:22:07 ::1%0 49958 ::1%0 80 - - - - - - Timer_ConnectionIdle -", - "category": [ - "web", - "network" - ], - "type": [ - "connection" - ], - "kind": "event" + "ip": "::1", + "port": 49958 }, "tags": [ "preserve_original_event" diff --git a/packages/iis/data_stream/error/elasticsearch/ingest_pipeline/default.yml b/packages/iis/data_stream/error/elasticsearch/ingest_pipeline/default.yml index 54a49a2cfd8..c77034ead5f 100644 --- a/packages/iis/data_stream/error/elasticsearch/ingest_pipeline/default.yml +++ b/packages/iis/data_stream/error/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing IIS error logs. Requires the geoip plugin. processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: ecs.version value: '1.12.0' diff --git a/packages/iis/data_stream/error/fields/ecs.yml b/packages/iis/data_stream/error/fields/ecs.yml index 459a1ab1794..58caadf4de0 100644 --- a/packages/iis/data_stream/error/fields/ecs.yml +++ b/packages/iis/data_stream/error/fields/ecs.yml @@ -60,3 +60,17 @@ name: url.path - external: ecs name: url.query +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: event.duration +- external: ecs + name: event.kind +- external: ecs + name: event.category +- external: ecs + name: event.type +- external: ecs + name: event.outcome diff --git a/packages/iis/docs/README.md b/packages/iis/docs/README.md index 2860801b790..6d036450cd9 100644 --- a/packages/iis/docs/README.md +++ b/packages/iis/docs/README.md @@ -532,8 +532,15 @@ The fields reported are: | destination.port | Port of the destination. | long | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | @@ -676,8 +683,15 @@ The fields reported are: | destination.port | Port of the destination. | long | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | diff --git a/packages/iis/manifest.yml b/packages/iis/manifest.yml index da2acc24d2e..723328f98a8 100644 --- a/packages/iis/manifest.yml +++ b/packages/iis/manifest.yml @@ -1,6 +1,6 @@ name: iis title: IIS -version: 0.8.2 +version: 0.8.3 description: Collect logs and metrics from Internet Information Services (IIS) servers with Elastic Agent. type: integration icons: