From 165299cc504f0c1bc38102f93191a8d389aea40b Mon Sep 17 00:00:00 2001 From: Ishleen Kaur Date: Tue, 10 May 2022 19:36:02 +0530 Subject: [PATCH 1/5] IIS_31547: The iis parsing for IPv6 logs --- packages/iis/changelog.yml | 5 + .../_dev/test/pipeline/test-iis-access-72.log | 6 + .../test-iis-access-72.log-expected.json | 438 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 3 + packages/iis/manifest.yml | 2 +- 5 files changed, 453 insertions(+), 1 deletion(-) diff --git a/packages/iis/changelog.yml b/packages/iis/changelog.yml index d0c0d1a98ad..e425ec8f158 100644 --- a/packages/iis/changelog.yml +++ b/packages/iis/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.8.5" + changes: + - description: Parsing of IIS access logs with IPV6 addressing + type: bugfix + link: https://github.com/elastic/integrations/pull/3311 - version: "0.8.4" changes: - description: Add documentation for multi-fields diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log index b2aef333277..76636765915 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log @@ -3,3 +3,9 @@ 2018-12-31 12:02:53 10.44.0.136 GET /Director - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0 2018-12-31 12:02:53 10.44.0.136 GET / - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0 2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15 +2022-03-13 02:04:11 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.44.0.136 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 216.160.83.61,81.2.69.193 +2022-03-13 02:04:11 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.44.0.136 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144 +2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144 +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 \ No newline at end of file diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json index 4caf0915a1e..47da6e28209 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json @@ -340,6 +340,444 @@ }, "version": "8.0" } + }, + { + "@timestamp": "2022-03-13T02:04:11.000Z", + "destination": { + "address": "10.44.0.136", + "ip": "10.44.0.136", + "port": 8080 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2022-03-13 02:04:11 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.44.0.136 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 216.160.83.61,81.2.69.193", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "iis": { + "access": { + "sub_status": 0, + "win32_status": 0 + } + }, + "network": { + "forwarded_ip": "216.160.83.61" + }, + "related": { + "ip": [ + "10.44.0.136", + "10.44.0.136" + ] + }, + "source": { + "address": "10.44.0.136", + "ip": "10.44.0.136" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "path": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "query": "/c dir c:\\ /OG" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", + "os": { + "full": "Windows XP", + "name": "Windows", + "version": "XP" + }, + "version": "8.0" + } + }, + { + "@timestamp": "2022-03-13T02:04:11.000Z", + "destination": { + "address": "10.44.0.136", + "ip": "10.44.0.136", + "port": 8080 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2022-03-13 02:04:11 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.44.0.136 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "iis": { + "access": { + "sub_status": 0, + "win32_status": 0 + } + }, + "network": { + "forwarded_ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, + "related": { + "ip": [ + "10.44.0.136", + "10.44.0.136" + ] + }, + "source": { + "address": "10.44.0.136", + "ip": "10.44.0.136" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "path": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "query": "/c dir c:\\ /OG" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", + "os": { + "full": "Windows XP", + "name": "Windows", + "version": "XP" + }, + "version": "8.0" + } + }, + { + "@timestamp": "2022-03-13T02:04:11.000Z", + "destination": { + "address": "fe81::63ae:94c0:196e:8adf%3", + "ip": "fe81::63ae:94c0:196e:8adf", + "port": 8080 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "iis": { + "access": { + "sub_status": 0, + "win32_status": 0 + } + }, + "network": { + "forwarded_ip": "81.2.69.144" + }, + "related": { + "ip": [ + "fe81::63ae:94c0:196e:8adf", + "fe81::63ae:94c0:196e:8adf" + ] + }, + "source": { + "address": "fe81::63ae:94c0:196e:8adf%3", + "ip": "fe81::63ae:94c0:196e:8adf" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "path": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "query": "/c dir c: /OG" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", + "os": { + "full": "Windows XP", + "name": "Windows", + "version": "XP" + }, + "version": "8.0" + } + }, + { + "@timestamp": "2022-03-13T02:04:11.000Z", + "destination": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 8080 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "iis": { + "access": { + "sub_status": 0, + "win32_status": 0 + } + }, + "network": { + "forwarded_ip": "81.2.69.143" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "path": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "query": "/c dir c: /OG" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", + "os": { + "full": "Windows XP", + "name": "Windows", + "version": "XP" + }, + "version": "8.0" + } + }, + { + "@timestamp": "2022-03-13T02:04:11.000Z", + "destination": { + "address": "fe81::63ae:94c0:196e:8adf%3", + "ip": "fe81::63ae:94c0:196e:8adf", + "port": 8080 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "iis": { + "access": { + "sub_status": 0, + "win32_status": 0 + } + }, + "network": { + "forwarded_ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, + "related": { + "ip": [ + "fe81::63ae:94c0:196e:8adf", + "fe81::63ae:94c0:196e:8adf" + ] + }, + "source": { + "address": "fe81::63ae:94c0:196e:8adf%3", + "ip": "fe81::63ae:94c0:196e:8adf" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "path": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "query": "/c dir c: /OG" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", + "os": { + "full": "Windows XP", + "name": "Windows", + "version": "XP" + }, + "version": "8.0" + } + }, + { + "@timestamp": "2022-03-13T02:04:11.000Z", + "destination": { + "address": "fe81::63ae:94c0:196e:8adf%3", + "ip": "fe81::63ae:94c0:196e:8adf", + "port": 8080 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "kind": "event", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "iis": { + "access": { + "sub_status": 0, + "win32_status": 0 + } + }, + "related": { + "ip": [ + "fe81::63ae:94c0:196e:8adf", + "fe81::63ae:94c0:196e:8adf" + ] + }, + "source": { + "address": "fe81::63ae:94c0:196e:8adf%3", + "ip": "fe81::63ae:94c0:196e:8adf" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "exe", + "original": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "path": "/pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe", + "query": "/c dir c:\\ /OG" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", + "os": { + "full": "Windows XP", + "name": "Windows", + "version": "XP" + }, + "version": "8.0" + } } ] } \ No newline at end of file diff --git a/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml index a0b22477f1a..f8229643ae8 100644 --- a/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -12,6 +12,9 @@ processors: - grok: field: event.original ignore_missing: true + pattern_definitions: + #This IPV6 pattern changes the zone_id to match non-space characters + IPV6: ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%[^ ]+)? patterns: - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:_temp_.url_path}) (?:-|%{NOTSPACE:_temp_.url_query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) diff --git a/packages/iis/manifest.yml b/packages/iis/manifest.yml index 23cf3d4c988..efeb3cf6985 100644 --- a/packages/iis/manifest.yml +++ b/packages/iis/manifest.yml @@ -1,6 +1,6 @@ name: iis title: IIS -version: 0.8.4 +version: 0.8.5 description: Collect logs and metrics from Internet Information Services (IIS) servers with Elastic Agent. type: integration icons: From e71f4e6bda92e4dfb38c9bf59e549770c5dc38bc Mon Sep 17 00:00:00 2001 From: Ishleen Kaur Date: Tue, 10 May 2022 19:44:02 +0530 Subject: [PATCH 2/5] IIS_31547: The iis parsing for IPv6 logs --- packages/iis/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/iis/changelog.yml b/packages/iis/changelog.yml index e425ec8f158..4f969c1aaa4 100644 --- a/packages/iis/changelog.yml +++ b/packages/iis/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Parsing of IIS access logs with IPV6 addressing type: bugfix - link: https://github.com/elastic/integrations/pull/3311 + link: https://github.com/elastic/integrations/pull/3315 - version: "0.8.4" changes: - description: Add documentation for multi-fields From f005df8e7d5cddeab7aaf6812a10cf4bdfd83ad2 Mon Sep 17 00:00:00 2001 From: Ishleen Kaur Date: Thu, 12 May 2022 11:52:12 +0530 Subject: [PATCH 3/5] IIS_31547: The iis parsing for IPv6 logs --- .../_dev/test/pipeline/test-iis-access-72.log | 8 ++-- .../test-iis-access-72.log-expected.json | 43 ++++++++----------- 2 files changed, 21 insertions(+), 30 deletions(-) diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log index 76636765915..25275a3071a 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log @@ -5,7 +5,7 @@ 2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15 2022-03-13 02:04:11 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.44.0.136 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 216.160.83.61,81.2.69.193 2022-03-13 02:04:11 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.44.0.136 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 -2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144 -2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144 -2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 -2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 \ No newline at end of file +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144 +2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144 +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json index 47da6e28209..0d3fc8fe9b5 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json @@ -501,7 +501,7 @@ "network" ], "kind": "event", - "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144", "outcome": "success", "type": [ "connection" @@ -526,13 +526,13 @@ }, "related": { "ip": [ - "fe81::63ae:94c0:196e:8adf", + "ce81::33ae:94c0:197e:6aff", "fe81::63ae:94c0:196e:8adf" ] }, "source": { - "address": "fe81::63ae:94c0:196e:8adf%3", - "ip": "fe81::63ae:94c0:196e:8adf" + "address": "ce81::33ae:94c0:197e:6aff%2", + "ip": "ce81::33ae:94c0:197e:6aff" }, "tags": [ "preserve_original_event" @@ -573,7 +573,7 @@ "network" ], "kind": "event", - "original": "2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144", + "original": "2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144", "outcome": "success", "type": [ "connection" @@ -598,22 +598,13 @@ }, "related": { "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ce81::33ae:94c0:197e:6aff", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "source": { - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "geo": { - "continent_name": "Europe", - "country_iso_code": "NO", - "country_name": "Norway", - "location": { - "lat": 62.0, - "lon": 10.0 - } - }, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "address": "ce81::33ae:94c0:197e:6aff%2", + "ip": "ce81::33ae:94c0:197e:6aff" }, "tags": [ "preserve_original_event" @@ -654,7 +645,7 @@ "network" ], "kind": "event", - "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "outcome": "success", "type": [ "connection" @@ -679,13 +670,13 @@ }, "related": { "ip": [ - "fe81::63ae:94c0:196e:8adf", + "ce81::33ae:94c0:197e:6aff", "fe81::63ae:94c0:196e:8adf" ] }, "source": { - "address": "fe81::63ae:94c0:196e:8adf%3", - "ip": "fe81::63ae:94c0:196e:8adf" + "address": "ce81::33ae:94c0:197e:6aff%2", + "ip": "ce81::33ae:94c0:197e:6aff" }, "tags": [ "preserve_original_event" @@ -726,7 +717,7 @@ "network" ], "kind": "event", - "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12", "outcome": "success", "type": [ "connection" @@ -748,13 +739,13 @@ }, "related": { "ip": [ - "fe81::63ae:94c0:196e:8adf", + "ce81::33ae:94c0:197e:6aff", "fe81::63ae:94c0:196e:8adf" ] }, "source": { - "address": "fe81::63ae:94c0:196e:8adf%3", - "ip": "fe81::63ae:94c0:196e:8adf" + "address": "ce81::33ae:94c0:197e:6aff%2", + "ip": "ce81::33ae:94c0:197e:6aff" }, "tags": [ "preserve_original_event" @@ -780,4 +771,4 @@ } } ] -} \ No newline at end of file +} From 5d4f46acb549d346ec93fc808f561cd5e8e2f63f Mon Sep 17 00:00:00 2001 From: Ishleen Kaur Date: Thu, 12 May 2022 13:22:51 +0530 Subject: [PATCH 4/5] IIS_31547: The iis parsing for IPv6 logs --- .../_dev/test/pipeline/test-iis-access-72.log | 8 ++--- .../test-iis-access-72.log-expected.json | 34 +++++++++---------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log index 25275a3071a..0b2d4b43d22 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log @@ -5,7 +5,7 @@ 2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15 2022-03-13 02:04:11 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.44.0.136 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 216.160.83.61,81.2.69.193 2022-03-13 02:04:11 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.44.0.136 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 -2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144 -2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144 -2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 -2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::64ae:95c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144 +2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::64ae:95c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144 +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::64ae:95c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 +2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - fe81::64ae:95c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json index 0d3fc8fe9b5..f1db10f2796 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json @@ -501,7 +501,7 @@ "network" ], "kind": "event", - "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::64ae:95c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.144", "outcome": "success", "type": [ "connection" @@ -526,13 +526,13 @@ }, "related": { "ip": [ - "ce81::33ae:94c0:197e:6aff", + "fe81::64ae:95c0:196e:8adf", "fe81::63ae:94c0:196e:8adf" ] }, "source": { - "address": "ce81::33ae:94c0:197e:6aff%2", - "ip": "ce81::33ae:94c0:197e:6aff" + "address": "fe81::64ae:95c0:196e:8adf%3", + "ip": "fe81::64ae:95c0:196e:8adf" }, "tags": [ "preserve_original_event" @@ -573,7 +573,7 @@ "network" ], "kind": "event", - "original": "2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144", + "original": "2022-03-13 02:04:11 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::64ae:95c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144", "outcome": "success", "type": [ "connection" @@ -598,13 +598,13 @@ }, "related": { "ip": [ - "ce81::33ae:94c0:197e:6aff", + "fe81::64ae:95c0:196e:8adf", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "source": { - "address": "ce81::33ae:94c0:197e:6aff%2", - "ip": "ce81::33ae:94c0:197e:6aff" + "address": "fe81::64ae:95c0:196e:8adf%3", + "ip": "fe81::64ae:95c0:196e:8adf" }, "tags": [ "preserve_original_event" @@ -645,7 +645,7 @@ "network" ], "kind": "event", - "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::64ae:95c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "outcome": "success", "type": [ "connection" @@ -670,13 +670,13 @@ }, "related": { "ip": [ - "ce81::33ae:94c0:197e:6aff", + "fe81::64ae:95c0:196e:8adf", "fe81::63ae:94c0:196e:8adf" ] }, "source": { - "address": "ce81::33ae:94c0:197e:6aff%2", - "ip": "ce81::33ae:94c0:197e:6aff" + "address": "fe81::64ae:95c0:196e:8adf%3", + "ip": "fe81::64ae:95c0:196e:8adf" }, "tags": [ "preserve_original_event" @@ -717,7 +717,7 @@ "network" ], "kind": "event", - "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - ce81::33ae:94c0:197e:6aff%2 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12", + "original": "2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - fe81::64ae:95c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12", "outcome": "success", "type": [ "connection" @@ -739,13 +739,13 @@ }, "related": { "ip": [ - "ce81::33ae:94c0:197e:6aff", + "fe81::64ae:95c0:196e:8adf", "fe81::63ae:94c0:196e:8adf" ] }, "source": { - "address": "ce81::33ae:94c0:197e:6aff%2", - "ip": "ce81::33ae:94c0:197e:6aff" + "address": "fe81::64ae:95c0:196e:8adf%3", + "ip": "fe81::64ae:95c0:196e:8adf" }, "tags": [ "preserve_original_event" @@ -771,4 +771,4 @@ } } ] -} +} \ No newline at end of file From 659499c088647535a78d5a44b348bd2fa9dff7fd Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 16 May 2022 11:18:12 -0400 Subject: [PATCH 5/5] Add space to YAML comment Usually no space between the `#` and the comment is reserved for commented out code/data. --- .../access/elasticsearch/ingest_pipeline/default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml index f8229643ae8..6305fef327b 100644 --- a/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -13,7 +13,7 @@ processors: field: event.original ignore_missing: true pattern_definitions: - #This IPV6 pattern changes the zone_id to match non-space characters + # This IPV6 pattern changes the zone_id to match non-space characters. IPV6: ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%[^ ]+)? patterns: - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method})