Skip to content

Commit

Permalink
Iptables module for Filebeat (elastic#10176)
Browse files Browse the repository at this point in the history
This adds a new x-pack module to parse iptables logs from a file.
The module understands additional fields added by Ubiquiti firewalls.

Example iptables event:
```
"iptables": {
      "ether_type": 2048,
      "input_device": "eth0",
      "output_device": "wan1",
      "tcp": {
        "reserved_bits": 0,
        "flags": "ACK",
        "window": 128
      },
      "precedence_bits": 0,
      "length": 123,
      "tos": 0,
      "output_device": "lo",
      "id": 12345,
      "ttl": 255
    },
```

For Ubiquiti logs, it parses the Ubiquiti tag before iptables logs.

Format: RuleSet-RuleNumber-Action

It's a common pattern to format the RuleSet as "InputDevice-OutputDevice".
Action can be A for allow and D for Deny. RuleNumber can be a number
or "default".

For [source-dest-42-D]:
```
        "iptables.ubiquiti.input_zone": "source",
        "iptables.ubiquiti.output_zone": "dest",
        "iptables.ubiquiti.rule_number": "42",
        "iptables.ubiquiti.rule_set": "source-dest",
        "event.outcome": "deny",
```
The following ECS fields are populated:

```
        "destination.ip": "10.4.0.5",
        "destination.mac": "90:10:20:76:8d:20",
        "destination.port": 443,
        "ecs.version": "1.0.0-beta2",
        "event.dataset": "iptables.log",
        "event.module": "iptables",
        "event.outcome": "deny", (only when Ubiquiti extension found)
        "fileset.name": "log",
        "network.transport": "tcp",
        "network.type": "ipv4",
        "source.geo.city_name": "Bellaterra",
        "source.geo.continent_name": "Europe",
        "source.geo.country_iso_code": "ES",
        "source.geo.location.lat": 41.5026,
        "source.geo.location.lon": 2.0875,
        "source.geo.region_iso_code": "ES-B",
        "source.geo.region_name": "Barcelona",
        "source.ip": "158.109.0.1",
        "source.mac": "90:10:65:29:b6:2a",
        "source.port": 38842
```

Closes elastic#8781

Co-Authored-by: James Spiteri <[email protected]>
  • Loading branch information
adriansr and jamesspi authored Jan 29, 2019
1 parent 1b094b7 commit d7c14df
Show file tree
Hide file tree
Showing 31 changed files with 3,490 additions and 0 deletions.
321 changes: 321 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ grouped in the following categories:
* <<exported-fields-host-processor>>
* <<exported-fields-icinga>>
* <<exported-fields-iis>>
* <<exported-fields-iptables>>
* <<exported-fields-kafka>>
* <<exported-fields-kibana>>
* <<exported-fields-kubernetes-processor>>
Expand Down Expand Up @@ -5594,6 +5595,326 @@ alias to: source.geo.region_iso_code
--
[[exported-fields-iptables]]
== iptables fields
Module for handling the iptables logs.
[float]
== iptables fields
Fields from the iptables logs.
*`iptables.ether_type`*::
+
--
type: long
Value of the ethernet type field identifying the network layer protocol.
--
*`iptables.flow_label`*::
+
--
type: integer
IPv6 flow label.
--
*`iptables.fragment_flags`*::
+
--
type: keyword
IP fragment flags. A combination of CE, DF and MF.
--
*`iptables.fragment_offset`*::
+
--
type: long
Offset of the current IP fragment.
--
[float]
== icmp fields
ICMP fields.
*`iptables.icmp.code`*::
+
--
type: long
ICMP code.
--
*`iptables.icmp.id`*::
+
--
type: long
ICMP ID.
--
*`iptables.icmp.parameter`*::
+
--
type: long
ICMP parameter.
--
*`iptables.icmp.redirect`*::
+
--
type: ip
ICMP redirect address.
--
*`iptables.icmp.seq`*::
+
--
type: long
ICMP sequence number.
--
*`iptables.icmp.type`*::
+
--
type: long
ICMP type.
--
*`iptables.id`*::
+
--
type: long
Packet identifier.
--
*`iptables.incomplete_bytes`*::
+
--
type: long
Number of incomplete bytes.
--
*`iptables.input_device`*::
+
--
type: keyword
Device that received the packet.
--
*`iptables.precedence_bits`*::
+
--
type: short
IP precedence bits.
--
*`iptables.tos`*::
+
--
type: long
IP Type of Service field.
--
*`iptables.length`*::
+
--
type: long
Packet length.
--
*`iptables.output_device`*::
+
--
type: keyword
Device that output the packet.
--
[float]
== tcp fields
TCP fields.
*`iptables.tcp.flags`*::
+
--
type: keyword
TCP flags.
--
*`iptables.tcp.reserved_bits`*::
+
--
type: short
TCP reserved bits.
--
*`iptables.tcp.seq`*::
+
--
type: long
TCP sequence number.
--
*`iptables.tcp.ack`*::
+
--
type: long
TCP Acknowledgment number.
--
*`iptables.tcp.window`*::
+
--
type: long
Advertised TCP window size.
--
*`iptables.ttl`*::
+
--
type: integer
Time To Live field.
--
[float]
== udp fields
UDP fields.
*`iptables.udp.length`*::
+
--
type: long
Length of the UDP header and payload.
--
[float]
== ubiquiti fields
Fields for Ubiquiti network devices.
*`iptables.ubiquiti.input_zone`*::
+
--
type: keyword
Input zone.
--
*`iptables.ubiquiti.output_zone`*::
+
--
type: keyword
Output zone.
--
*`iptables.ubiquiti.rule_number`*::
+
--
type: keyword
The rule number within the rule set.
--
*`iptables.ubiquiti.rule_set`*::
+
--
type: keyword
The rule set name.
--
[[exported-fields-kafka]]
== Kafka fields
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added filebeat/docs/images/kibana-iptables.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit d7c14df

Please sign in to comment.