diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 643b688340c7..31de2c0d15a7 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Modify apache/error dataset to follow ECS. {pull}8963[8963] - Rename many `traefik.access.*` fields to map to ECS. {pull}9005[9005] - Fix parsing of GC entries in elasticsearch server log. {issue}9513[9513] {pull}9810[9810] +- Rename many `iis.error.*` fields to map to ECS. {pull}9955[9955] - Rename a few `logstash.*` fields to map to ECS, remove logstash.slowlog.message. {pull}9935[9935] - Rename a few `mysql.*` fields to map to ECS. {pull}10008[10008] - Rename a few `nginx.error.*` fields to map to ECS. {pull}10007[10007] @@ -67,7 +68,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* - Add `convert_timezone` option to Elasticsearch module to convert dates to UTC. {issue}9756[9756] {pull}9761[9761] -- Support IPv6 addresses with zone id in IIS ingest pipeline. {issue}9836[9836] {pull}9869[9869] +- Support IPv6 addresses with zone id in IIS ingest pipeline. + {issue}9836[9836] error log: {pull}9869[9869], access log: {pull}9955[9955]. - Support haproxy log lines without captured headers. {issue}9463[9463] {pull}9958[9958] *Heartbeat* diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index 7b503928c419..254d5ed0b780 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -281,11 +281,11 @@ ## IIS module - from: iis.access.server_ip - to: destination.ip + to: destination.address alias: true - from: iis.access.remote_ip - to: source.ip + to: source.address alias: true - from: iis.access.url @@ -348,6 +348,62 @@ to: http.request.referrer alias: true +- from: iis.error.remote_ip + to: source.address + alias: true + +- from: iis.error.remote_port + to: source.port + alias: true + +- from: iis.error.server_ip + to: destination.address + alias: true + +- from: iis.error.server_port + to: destination.port + alias: true + +- from: iis.error.http_version + to: http.version + alias: true + +- from: iis.error.method + to: http.request.method + alias: true + +- from: iis.error.url + to: url.original + alias: true + +- from: iis.error.response_code + to: http.response.status_code + alias: true + +- from: iis.error.geoip.continent_name + to: source.geo.continent_name + alias: true + +- from: iis.error.geoip.country_iso_code + to: source.geo.country_iso_code + alias: true + +- from: iis.error.geoip.location + to: source.geo.location + alias: true + +- from: iis.error.geoip.region_name + to: source.geo.region_name + alias: true + +- from: iis.error.geoip.city_name + to: source.geo.city_name + alias: true + +- from: iis.error.geoip.region_iso_code + to: source.geo.region_iso_code + alias: true + ## HAProxy module - from: haproxy.client.port diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 8dacbd02730d..86511fb0f08f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -5163,7 +5163,7 @@ The number of bytes of the server request body. -- type: alias -alias to: destination.ip +alias to: destination.address -- @@ -5217,7 +5217,7 @@ alias to: user.name -- type: alias -alias to: source.ip +alias to: source.address -- @@ -5410,172 +5410,150 @@ Contains fields for IIS error logs. -*`iis.error.remote_ip`*:: +*`iis.error.reason_phrase`*:: + -- type: keyword -The client IP address. +The HTTP reason phrase. -- -*`iis.error.remote_port`*:: +*`iis.error.queue_name`*:: + -- -type: long +type: keyword -The client port number. +The IIS application pool name. -- -*`iis.error.server_ip`*:: +*`iis.error.remote_ip`*:: + -- -type: keyword - -The server IP address. +type: alias +alias to: source.address -- -*`iis.error.server_port`*:: +*`iis.error.remote_port`*:: + -- -type: long - -The server port number. +type: alias +alias to: source.port -- -*`iis.error.http_version`*:: +*`iis.error.server_ip`*:: + -- -type: keyword - -The HTTP version. +type: alias +alias to: destination.address -- -*`iis.error.method`*:: +*`iis.error.server_port`*:: + -- -type: keyword - -example: GET - -The request HTTP method. +type: alias +alias to: destination.port -- -*`iis.error.url`*:: +*`iis.error.http_version`*:: + -- -type: keyword - -The request HTTP URL. +type: alias +alias to: http.version -- -*`iis.error.response_code`*:: +*`iis.error.method`*:: + -- -type: long - -The HTTP response code. +type: alias +alias to: http.request.method -- -*`iis.error.reason_phrase`*:: +*`iis.error.url`*:: + -- -type: keyword - -The HTTP reason phrase. +type: alias +alias to: url.original -- -*`iis.error.queue_name`*:: +*`iis.error.response_code`*:: + -- -type: keyword - -The IIS application pool name. +type: alias +alias to: http.response.status_code -- -[float] -== geoip fields - -Contains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used. - - *`iis.error.geoip.continent_name`*:: + -- -type: keyword - -The name of the continent. +type: alias +alias to: source.geo.continent_name -- *`iis.error.geoip.country_iso_code`*:: + -- -type: keyword - -Country ISO code. +type: alias +alias to: source.geo.country_iso_code -- *`iis.error.geoip.location`*:: + -- -type: geo_point - -The longitude and latitude. +type: alias +alias to: source.geo.location -- *`iis.error.geoip.region_name`*:: + -- -type: keyword - -The region name. +type: alias +alias to: source.geo.region_name -- *`iis.error.geoip.city_name`*:: + -- -type: keyword - -The city name. +type: alias +alias to: source.geo.city_name -- *`iis.error.geoip.region_iso_code`*:: + -- -type: keyword - -Region ISO code. +type: alias +alias to: source.geo.region_iso_code -- diff --git a/filebeat/module/iis/access/_meta/fields.yml b/filebeat/module/iis/access/_meta/fields.yml index 4ad8c6463ee9..74e1d9b36947 100644 --- a/filebeat/module/iis/access/_meta/fields.yml +++ b/filebeat/module/iis/access/_meta/fields.yml @@ -40,7 +40,7 @@ - name: server_ip type: alias - path: destination.ip + path: destination.address migration: true - name: method type: alias @@ -64,7 +64,7 @@ migration: true - name: remote_ip type: alias - path: source.ip + path: source.address migration: true - name: referrer type: alias diff --git a/filebeat/module/iis/access/ingest/default.json b/filebeat/module/iis/access/ingest/default.json index 6f94700a08be..98df08871248 100644 --- a/filebeat/module/iis/access/ingest/default.json +++ b/filebeat/module/iis/access/ingest/default.json @@ -4,10 +4,10 @@ "grok": { "field": "message", "patterns":[ - "%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.ip} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.ip} %{NOTSPACE:iis.access.agent} %{NOTSPACE:http.request.referrer} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:iis.access.request_time_ms:long}", - "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.ip} %{NOTSPACE:iis.access.agent} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:iis.access.body_sent.bytes:long} %{NUMBER:iis.access.body_received.bytes:long} %{NUMBER:iis.access.request_time_ms:long}", - "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{NOTSPACE:iis.access.server_name} %{IPORHOST:destination.ip} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.ip} HTTP/%{NUMBER:http.version} %{NOTSPACE:iis.access.agent} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:iis.access.body_sent.bytes:long} %{NUMBER:iis.access.body_received.bytes:long} %{NUMBER:iis.access.request_time_ms:long}", - "%{TIMESTAMP_ISO8601:iis.access.time} \\[%{IPORHOST:destination.ip}\\]\\(http://%{IPORHOST:destination.ip}\\) %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} \\[%{IPORHOST:source.ip}\\]\\(http://%{IPORHOST:source.ip}\\) %{NOTSPACE:iis.access.agent} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:iis.access.request_time_ms:long}" + "%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:iis.access.agent} %{NOTSPACE:http.request.referrer} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:iis.access.request_time_ms:long}", + "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:iis.access.agent} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:iis.access.body_sent.bytes:long} %{NUMBER:iis.access.body_received.bytes:long} %{NUMBER:iis.access.request_time_ms:long}", + "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{NOTSPACE:iis.access.server_name} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} HTTP/%{NUMBER:http.version} %{NOTSPACE:iis.access.agent} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:iis.access.body_sent.bytes:long} %{NUMBER:iis.access.body_received.bytes:long} %{NUMBER:iis.access.request_time_ms:long}", + "%{TIMESTAMP_ISO8601:iis.access.time} \\[%{IPORHOST:destination.address}\\]\\(http://%{IPORHOST:destination.address}\\) %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} \\[%{IPORHOST:source.address}\\]\\(http://%{IPORHOST:source.address}\\) %{NOTSPACE:iis.access.agent} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:iis.access.request_time_ms:long}" ], "ignore_missing": true } @@ -18,7 +18,7 @@ }, { "rename": { "field": "@timestamp", - "target_field": "read_timestamp" + "target_field": "event.created" } }, { "date": { @@ -73,10 +73,33 @@ "field": "iis.access.agent", "target_field": "user_agent.original" } + }, { + "grok": { + "field": "destination.address", + "ignore_failure": true, + "patterns": [ + "%{NOZONEIP:destination.ip}" + ], + "pattern_definitions": { + "NOZONEIP": "[^%]*" + } + } + }, { + "grok": { + "field": "source.address", + "ignore_failure": true, + "patterns": [ + "%{NOZONEIP:source.ip}" + ], + "pattern_definitions": { + "NOZONEIP": "[^%]*" + } + } }, { "geoip": { "field": "source.ip", - "target_field": "source.geo" + "target_field": "source.geo", + "ignore_missing": true } }], "on_failure" : [{ diff --git a/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json b/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json index 7717db8c11c8..8865c1916404 100644 --- a/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json +++ b/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json @@ -1,6 +1,7 @@ [ { "@timestamp": "2018-08-28T18:24:25.000Z", + "destination.address": "10.100.220.70", "destination.ip": "10.100.220.70", "destination.port": 80, "ecs.version": "1.0.0-beta2", @@ -14,6 +15,7 @@ "iis.access.win32_status": 2, "input.type": "log", "log.offset": 244, + "source.address": "10.100.118.31", "source.ip": "10.100.118.31", "url.path": "/", "url.query": "-", diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log b/filebeat/module/iis/access/test/test-ipv6zone.log new file mode 100644 index 000000000000..45519b2966f8 --- /dev/null +++ b/filebeat/module/iis/access/test/test-ipv6zone.log @@ -0,0 +1,5 @@ +#Software: Microsoft Internet Information Services 10.0 +#Version: 1.0 +#Date: 2018-01-01 10:11:12 +#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken +2018-01-01 10:11:12 W3SVC1 MACHINE-NAME ::1%0 GET / - 80 - ::1%0 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789 diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json new file mode 100644 index 000000000000..bb3bd72a6291 --- /dev/null +++ b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json @@ -0,0 +1,42 @@ +[ + { + "@timestamp": "2018-01-01T10:11:12.000Z", + "destination.address": "::1%0", + "destination.domain": "example.com", + "destination.ip": "::1", + "destination.port": 80, + "ecs.version": "1.0.0-beta2", + "event.dataset": "iis.access", + "event.module": "iis", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "http.version": "1.1", + "iis.access.body_received.bytes": 456, + "iis.access.body_sent.bytes": 123, + "iis.access.cookie": "-", + "iis.access.request_time_ms": 789, + "iis.access.server_name": "MACHINE-NAME", + "iis.access.site_name": "W3SVC1", + "iis.access.sub_status": 0, + "iis.access.win32_status": 0, + "input.type": "log", + "log.offset": 331, + "source.address": "::1%0", + "source.ip": "::1", + "url.path": "/", + "url.query": "-", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "70", + "user_agent.minor": "0", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", + "user_agent.os.full_name": "Mac OS X 10.14.0", + "user_agent.os.major": "10", + "user_agent.os.minor": "14", + "user_agent.os.name": "Mac OS X", + "user_agent.patch": "3538" + } +] \ No newline at end of file diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index 1f348f65e968..fc693287281a 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -1,6 +1,7 @@ [ { "@timestamp": "2018-01-01T08:09:10.000Z", + "destination.address": "127.0.0.1", "destination.ip": "127.0.0.1", "destination.port": 80, "ecs.version": "1.0.0-beta2", @@ -15,6 +16,7 @@ "iis.access.win32_status": 0, "input.type": "log", "log.offset": 257, + "source.address": "85.181.35.98", "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", @@ -54,6 +56,7 @@ "iis.access.win32_status": 0, "input.type": "log", "log.offset": 709, + "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.path": "/", "url.query": "-", @@ -68,6 +71,7 @@ }, { "@timestamp": "2018-01-01T10:11:12.000Z", + "destination.address": "127.0.0.1", "destination.domain": "example.com", "destination.ip": "127.0.0.1", "destination.port": 80, @@ -89,6 +93,7 @@ "iis.access.win32_status": 0, "input.type": "log", "log.offset": 1204, + "source.address": "85.181.35.98", "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", diff --git a/filebeat/module/iis/error/_meta/fields.yml b/filebeat/module/iis/error/_meta/fields.yml index 90ff367b836a..1876508a0c73 100644 --- a/filebeat/module/iis/error/_meta/fields.yml +++ b/filebeat/module/iis/error/_meta/fields.yml @@ -3,75 +3,71 @@ description: > Contains fields for IIS error logs. fields: - - name: remote_ip + - name: reason_phrase type: keyword description: > - The client IP address. - - name: remote_port - type: long - description: > - The client port number. - - name: server_ip + The HTTP reason phrase. + - name: queue_name type: keyword description: > - The server IP address. + The IIS application pool name. + + - name: remote_ip + type: alias + path: source.address + migration: true + - name: remote_port + type: alias + path: source.port + migration: true + - name: server_ip + type: alias + path: destination.address + migration: true - name: server_port - type: long - description: > - The server port number. + type: alias + path: destination.port + migration: true - name: http_version - type: keyword - description: > - The HTTP version. + type: alias + path: http.version + migration: true - name: method - type: keyword - example: GET - description: > - The request HTTP method. + type: alias + path: http.request.method + migration: true - name: url - type: keyword - description: > - The request HTTP URL. + type: alias + path: url.original + migration: true - name: response_code - type: long - description: > - The HTTP response code. - - name: reason_phrase - type: keyword - description: > - The HTTP reason phrase. - - name: queue_name - type: keyword - description: > - The IIS application pool name. + type: alias + path: http.response.status_code + migration: true - name: geoip type: group - description: > - Contains GeoIP information gathered based on the remote_ip field. - Only present if the GeoIP Elasticsearch plugin is available and - used. fields: - name: continent_name - type: keyword - description: > - The name of the continent. + type: alias + path: source.geo.continent_name + migration: true - name: country_iso_code - type: keyword - description: > - Country ISO code. + type: alias + path: source.geo.country_iso_code + migration: true - name: location - type: geo_point - description: > - The longitude and latitude. + type: alias + path: source.geo.location + migration: true - name: region_name - type: keyword - description: > - The region name. + type: alias + path: source.geo.region_name + migration: true - name: city_name - type: keyword - description: > - The city name. + type: alias + path: source.geo.city_name + migration: true - name: region_iso_code - type: keyword - description: > - Region ISO code. + type: alias + path: source.geo.region_iso_code + migration: true diff --git a/filebeat/module/iis/error/ingest/default.json b/filebeat/module/iis/error/ingest/default.json index af3c470afe7f..2ff4c6e56692 100644 --- a/filebeat/module/iis/error/ingest/default.json +++ b/filebeat/module/iis/error/ingest/default.json @@ -4,7 +4,7 @@ "grok": { "field": "message", "patterns":[ - "%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:iis.error.remote_ip} %{NUMBER:iis.error.remote_port} %{IPORHOST:iis.error.server_ip} %{IPORHOST:iis.error.server_port} (?:HTTP/%{NUMBER:iis.error.http_version}|-) (?:%{WORD:iis.error.method}|-) (?:%{URIPATHPARAM:iis.error.url}|-)(?: -)? (?:%{NUMBER:iis.error.response_code}|-) (?:%{NUMBER}|-) (?:%{NOTSPACE:iis.error.reason_phrase}|-) (?:%{NOTSPACE:iis.error.queue_name}|-)" + "%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:source.address} %{NUMBER:source.port:long} %{IPORHOST:destination.address} %{IPORHOST:destination.port:long} (?:HTTP/%{NUMBER:http.version}|-) (?:%{WORD:http.request.method}|-) (?:%{URIPATHPARAM:url.original}|-)(?: -)? (?:%{NUMBER:http.response.status_code:long}|-) (?:%{NUMBER}|-) (?:%{NOTSPACE:iis.error.reason_phrase}|-) (?:%{NOTSPACE:iis.error.queue_name}|-)" ], "ignore_missing": true } @@ -29,22 +29,29 @@ } }, { "grok": { - "field": "iis.error.remote_ip", + "field": "destination.address", "patterns": [ - "%{NOZONEIP:iis.error.remote_ip_geoip}" + "%{NOZONEIP:destination.ip}" ], "pattern_definitions": { "NOZONEIP": "[^%]*" } } }, { - "geoip": { - "field": "iis.error.remote_ip_geoip", - "target_field": "iis.error.geoip" + "grok": { + "field": "source.address", + "patterns": [ + "%{NOZONEIP:source.ip}" + ], + "pattern_definitions": { + "NOZONEIP": "[^%]*" + } } }, { - "remove": { - "field": "iis.error.remote_ip_geoip" + "geoip": { + "field": "source.ip", + "target_field": "source.geo", + "ignore_failure": true } }], "on_failure" : [{ diff --git a/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json b/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json index 1bf44c680690..b65e1f2910d5 100644 --- a/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json +++ b/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json @@ -1,17 +1,19 @@ [ { "@timestamp": "2018-12-30T14:22:07.000Z", + "destination.address": "::1%0", + "destination.ip": "::1", + "destination.port": 80, "ecs.version": "1.0.0-beta2", "event.dataset": "iis.error", "event.module": "iis", "fileset.name": "error", "iis.error.queue_name": "-", "iis.error.reason_phrase": "Timer_ConnectionIdle", - "iis.error.remote_ip": "::1%0", - "iis.error.remote_port": "49958", - "iis.error.server_ip": "::1%0", - "iis.error.server_port": "80", "input.type": "log", - "log.offset": 195 + "log.offset": 195, + "source.address": "::1%0", + "source.ip": "::1", + "source.port": 49958 } ] \ No newline at end of file diff --git a/filebeat/module/iis/error/test/test.log-expected.json b/filebeat/module/iis/error/test/test.log-expected.json index eee8f8d026ab..a481a4142a65 100644 --- a/filebeat/module/iis/error/test/test.log-expected.json +++ b/filebeat/module/iis/error/test/test.log-expected.json @@ -1,95 +1,103 @@ [ { "@timestamp": "2018-01-01T08:09:10.000Z", + "destination.address": "172.31.77.6", + "destination.ip": "172.31.77.6", + "destination.port": 80, "ecs.version": "1.0.0-beta2", "event.dataset": "iis.error", "event.module": "iis", "fileset.name": "error", - "iis.error.http_version": "1.1", - "iis.error.method": "GET", + "http.request.method": "GET", + "http.response.status_code": 503, + "http.version": "1.1", "iis.error.queue_name": "-", "iis.error.reason_phrase": "ConnLimit", - "iis.error.remote_ip": "172.31.77.6", - "iis.error.remote_port": "2094", - "iis.error.response_code": "503", - "iis.error.server_ip": "172.31.77.6", - "iis.error.server_port": "80", - "iis.error.url": "/qos/1kbfile.txt", "input.type": "log", - "log.offset": 186 + "log.offset": 186, + "source.address": "172.31.77.6", + "source.ip": "172.31.77.6", + "source.port": 2094, + "url.original": "/qos/1kbfile.txt" }, { "@timestamp": "2018-01-01T09:10:11.000Z", + "destination.address": "127.0.0.1", + "destination.ip": "127.0.0.1", + "destination.port": 80, "ecs.version": "1.0.0-beta2", "event.dataset": "iis.error", "event.module": "iis", "fileset.name": "error", - "iis.error.geoip.city_name": "Berlin", - "iis.error.geoip.continent_name": "Europe", - "iis.error.geoip.country_iso_code": "DE", - "iis.error.geoip.location.lat": 52.4908, - "iis.error.geoip.location.lon": 13.3275, - "iis.error.geoip.region_iso_code": "DE-BE", - "iis.error.geoip.region_name": "Land Berlin", - "iis.error.http_version": "1.1", - "iis.error.method": "GET", + "http.request.method": "GET", + "http.response.status_code": 400, + "http.version": "1.1", "iis.error.queue_name": "-", "iis.error.reason_phrase": "Hostname", - "iis.error.remote_ip": "85.181.35.98", - "iis.error.remote_port": "2780", - "iis.error.response_code": "400", - "iis.error.server_ip": "127.0.0.1", - "iis.error.server_port": "80", - "iis.error.url": "/ThisIsMyUrl.htm", "input.type": "log", - "log.offset": 286 + "log.offset": 286, + "source.address": "85.181.35.98", + "source.geo.city_name": "Berlin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 52.4908, + "source.geo.location.lon": 13.3275, + "source.geo.region_iso_code": "DE-BE", + "source.geo.region_name": "Land Berlin", + "source.ip": "85.181.35.98", + "source.port": 2780, + "url.original": "/ThisIsMyUrl.htm" }, { "@timestamp": "2018-01-01T10:11:12.000Z", + "destination.address": "127.0.0.1", + "destination.ip": "127.0.0.1", + "destination.port": 80, "ecs.version": "1.0.0-beta2", "event.dataset": "iis.error", "event.module": "iis", "fileset.name": "error", - "iis.error.geoip.city_name": "Berlin", - "iis.error.geoip.continent_name": "Europe", - "iis.error.geoip.country_iso_code": "DE", - "iis.error.geoip.location.lat": 52.4908, - "iis.error.geoip.location.lon": 13.3275, - "iis.error.geoip.region_iso_code": "DE-BE", - "iis.error.geoip.region_name": "Land Berlin", - "iis.error.http_version": "2.0", - "iis.error.method": "GET", + "http.request.method": "GET", + "http.response.status_code": 505, + "http.version": "2.0", "iis.error.queue_name": "-", "iis.error.reason_phrase": "Version_N/S", - "iis.error.remote_ip": "85.181.35.98", - "iis.error.remote_port": "2894", - "iis.error.response_code": "505", - "iis.error.server_ip": "127.0.0.1", - "iis.error.server_port": "80", - "iis.error.url": "/", "input.type": "log", - "log.offset": 384 + "log.offset": 384, + "source.address": "85.181.35.98", + "source.geo.city_name": "Berlin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 52.4908, + "source.geo.location.lon": 13.3275, + "source.geo.region_iso_code": "DE-BE", + "source.geo.region_name": "Land Berlin", + "source.ip": "85.181.35.98", + "source.port": 2894, + "url.original": "/" }, { "@timestamp": "2018-01-01T11:12:13.000Z", + "destination.address": "127.0.0.1", + "destination.ip": "127.0.0.1", + "destination.port": 80, "ecs.version": "1.0.0-beta2", "event.dataset": "iis.error", "event.module": "iis", "fileset.name": "error", - "iis.error.geoip.city_name": "Berlin", - "iis.error.geoip.continent_name": "Europe", - "iis.error.geoip.country_iso_code": "DE", - "iis.error.geoip.location.lat": 52.4908, - "iis.error.geoip.location.lon": 13.3275, - "iis.error.geoip.region_iso_code": "DE-BE", - "iis.error.geoip.region_name": "Land Berlin", "iis.error.queue_name": "-", "iis.error.reason_phrase": "Timer_MinBytesPerSecond", - "iis.error.remote_ip": "85.181.35.98", - "iis.error.remote_port": "64388", - "iis.error.server_ip": "127.0.0.1", - "iis.error.server_port": "80", "input.type": "log", - "log.offset": 470 + "log.offset": 470, + "source.address": "85.181.35.98", + "source.geo.city_name": "Berlin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 52.4908, + "source.geo.location.lon": 13.3275, + "source.geo.region_iso_code": "DE-BE", + "source.geo.region_name": "Land Berlin", + "source.ip": "85.181.35.98", + "source.port": 64388 } ] \ No newline at end of file diff --git a/filebeat/module/iis/fields.go b/filebeat/module/iis/fields.go index 4158e4792101..9d010f231da4 100644 --- a/filebeat/module/iis/fields.go +++ b/filebeat/module/iis/fields.go @@ -31,5 +31,5 @@ func init() { // Asset returns asset data func Asset() string { - return "eJzMmc9u4zYQxu95isGeuzq0Nx96WWy3BlpssEnRo0BLY3kaiqOQVFK/fUFSdhOZkqg/C6xOiWx+34/DITUaf4QnPO+AyNwBWLISd/Bhv3/4cAdQoik0NZZY7eDXOwCAP7lsJcKRNTRCG1IV7PcPILmCI0k02R3AkVCWZue//xGUqPGi7y57bnAHlea26e5EbNz1m5eBo+b61sNdF5/riIuZKAo05no75jni665PrKwgZToPP1/HEJQdypXiLclbiQuMaQ+5scK25t3HFyjJqup9MMLlrscTwu+Pj/dOOQhDwSVmUfdXUr/8vL3/36RKfjUw6a/xuUVjc0s15vWWCJ0yOGUgBTVJSQYLVqWJsxiymLs/oxRPeH5lXc4HcbLeAYQqgZSxQhUIqq0PqAdIUL+g/g4sHoOPYB2XNwFW8Hqi4uTvXfYQoLL6DK/CQIUKtbBYxlEL5ifamLJgZVHZC2iwAONvadBYIL1g+RPQEYQ6x7kOXJ5zNyQ7nC0mJ9aRdS3sDmKDUuLrF9WBe4FeqDWahpVBDzeCfZnhD4UedtN78rHkpSYKLiSJPl0j7GnnGC0p4Rizm8E1VVoEfKtbjBrXaE/cT7cp15O1TdbNLosqpFi3Ws70bbXM3F8LzJ5b1OfcWE03OZDi6ocvsG1Y2xVLGhmeFFkzdhCOzNSgziLjUjw11mxxfgYbbnWBy5JX4xG1Rr0mfQc00uzD0ZS7R/UyhiCQhUd+TCeFw2nlL6gNsVqCER+a5MzGLsgzNywbGJuc36JCFd9b/ZoUBqrJt5IlvlDRZxmfC7zbN4EnG9QZm9dbkFr8w/1kXMAxJJOMQWoTjAGZVIxG2KJ/3C/AGJJJxYjk6QKKAZVUCI6ZzERgkx1bKWMPh3ko+UZ5ymZ1qjqYbbLVwaxMWDZDsZ3PsnaRNFWkRL/IWsIyrJRyXFfIA2XBkpPaveiQQmXXBLqrOirkbFIvNd4Ft+4FMCfDsSf5IrRJxVQ4yYX/2nqoEaVUGI0Vsdpo/cbFkheP7HmrhBqRmhmh7VJpWnAI7YKEWr87GTfr/3nhWe2/8XeN5S0USags7O9BlKVGM9Dy6twHX+2Wtd46c6ea0ubaeu5dy2Jq7p37xnPvzCfnPvmis3j6vvfbKce9RxolcVf8V9SNxB18+fw4H+jSO/JgwTvONdRFWRyKd85/fftjaBNMvfuuaMJfe35jPXBhWOXNSQuzcSe1Q3D6EPTjCM8ttt+j9+1/E2kaSeE5Cw2z9JZxjHnV1YT/9Yz+gry/B1KhQeowKmFPqLGEgzBYAivf6rwexeHAzm4Uvyp5hkaj70RT6I8G8c9SGEuFQaGLEzSyrUgBGRAvgqQ4SN/7v9FrTb+rvlnJGF+xhKhB5JeCq+dtSGYXjKvAPgUX2D98jewnmFMjVsh5w3TTdpkRIncqkG3L8MOOFNb/M8yUUiquXrdgEtljMKtCXM3hLCYoUgvDVSzfQjz+z5j/AgAA//++Lbwh" + return "eJzsmMFu4zYQhu95isGeuzq0Nx96KVA0hwIFNkCPAiON5WkkjjJDxdDbF6SsINZSMi0ryC4QngxZ/P+P5JAazld4wn4HRHoH4MjVuIMv9/ffvtwBlKiFUOuI7Q5+vwMA+JvLrkbYs0BrRMlWcH//DWquYE81anYHsCesS92F97+CNQ2O+r65vsUdVMJde3oSsfHtzyADe+Hmew/fRp/XHqOZKQpUfX0c81zw9e0Pts6Q1ZNHGK9nGJQ9yivFW5K3EiOMdo+5OuM6Pft7hKrZVpM/Frh8ezgg/PXw8I9XHoSh4BKzqPuR7G+/bu//L9mSjwoX/QWfO1SXO2owb7ZEOCmDVway0FBdk2LBttQ4i5LD3P+MUjxhf2QprwfxssEBjC2BrDpjCwTbNY8oMyQoLyjvwBIweA/OcwUTYAvHAxWH8GzcQ4DWSQ9Ho1ChRTEOyzhqwfxEG1MWbB1aN4IOFqDhkYBggfSC5S9AezC2j3M9ctnnvkv22DtMDqw9S2PcDmKdUuY3LKoHDwKTqRbUlq1igFvAHkf4Q6EPu+mcfCl4qY2Cm5rMlK417rDzjI6s8YyZKUs5P6J9a6gSM4zBSYdR9wbdgacxd8n64FybnYaYRRVSrDupr/TtpM78rxVmzx1Kn6sT+i4QUlxD9xW2LYu7YV0j3ZNmVpdOw4WRKkoW6ZfiKdiww+vDWLmTAm+IYME9iqDcEsMzGmn2wyGV+4/2OoZBIBs+/jGdFA6vlb+gKLFdgxHvmuTM6lYEm++WzfRNDnJToY1vsGl2CjN55VvJEl+omLIsjwXONs/Ak83qLI3rLUhj/uNpMK7gmJNJxiC7CcaMTCpGa1wxPfNXYMzJpGJE4nQFxYxKKgTHTK5EYM32XV3HvhDXoeQbxSnrzaHqYbaJVg9zY8Cyzs3t9Sy3LpJQRdZMM601LPNKKcd1hTyTG6w5qf2Vhyxad8tEn1KPCjm7qJc63wV3/iqYk3LsS74K7aJiKlzNRXjtdqgFpVQYwYrYbrR+y2LJi0eu3yqgFqSunKHtQumy4BzaiIQiZyfjZpXAIHxVIVDQKNu8PYjRjQsqoRw46MOgH68+PHfYvUcJLJRG27amYZNBy1wHywulhA+8gwXjFbfdk/XKi+7H1k5O7h9zx/+4+95PVzKayVx+ptv9Z/a0Gu0ze7rI85k9vU/29H8AAAD//7TpmUw=" }