diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2a8c1621826..4e6e63b5781 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -235,6 +235,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS field mappings in haproxy module. {issue}16162[16162] {pull}16529[16529] - Allow users to override pipeline ID in fileset input config. {issue}9531[9531] {pull}16561[16561] - Improve ECS categorization field mappings in logstash module. {issue}16169[16169] {pull}16668[16668] +- Improve ECS categorization field mappings in iis module. {issue}16165[16165] {pull}16618[16618] *Heartbeat* diff --git a/filebeat/module/iis/access/ingest/default.json b/filebeat/module/iis/access/ingest/default.json deleted file mode 100644 index d9031009ae2..00000000000 --- a/filebeat/module/iis/access/ingest/default.json +++ /dev/null @@ -1,134 +0,0 @@ -{ - "description": "Pipeline for parsing IIS access logs. Requires the geoip and user_agent plugins.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{NOTSPACE:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NOTSPACE:http.request.referrer} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long}", - "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{WORD:http.request.method} %{NOTSPACE:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:temp.duration:long}", - "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{NOTSPACE:iis.access.server_name} %{IPORHOST:destination.address} %{WORD:http.request.method} %{NOTSPACE:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} HTTP/%{NUMBER:http.version} %{NOTSPACE:user_agent.original} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:temp.duration:long}", - "%{TIMESTAMP_ISO8601:iis.access.time} \\[%{IPORHOST:destination.address}\\]\\(http://%{IPORHOST:destination.address}\\) %{WORD:http.request.method} %{NOTSPACE:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} \\[%{IPORHOST:source.address}\\]\\(http://%{IPORHOST:source.address}\\) %{NOTSPACE:user_agent.original} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long}", - "%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{NOTSPACE:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long}" - ], - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "@timestamp", - "target_field": "event.created" - } - }, - { - "date": { - "field": "iis.access.time", - "target_field": "@timestamp", - "formats": [ - "yyyy-MM-dd HH:mm:ss" - ] - } - }, - { - "remove": { - "field": "iis.access.time" - } - }, - { - "script": { - "lang": "painless", - "source": "ctx.event.duration = Math.round(ctx.temp.duration * params.scale)", - "params": { - "scale": 1000000 - }, - "if": "ctx.temp?.duration != null" - } - }, - { - "remove": { - "field": "temp.duration", - "ignore_missing": true - } - }, - { - "urldecode": { - "field": "user_agent.original" - } - }, - { - "user_agent": { - "field": "user_agent.original" - } - }, - { - "grok": { - "field": "destination.address", - "ignore_failure": true, - "patterns": [ - "%{NOZONEIP:destination.ip}" - ], - "pattern_definitions": { - "NOZONEIP": "[^%]*" - } - } - }, - { - "grok": { - "field": "source.address", - "ignore_failure": true, - "patterns": [ - "%{NOZONEIP:source.ip}" - ], - "pattern_definitions": { - "NOZONEIP": "[^%]*" - } - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - } - ], - "on_failure": [ - { - "set": { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}" - } - } - ] -} diff --git a/filebeat/module/iis/access/ingest/pipeline.yml b/filebeat/module/iis/access/ingest/pipeline.yml new file mode 100644 index 00000000000..4437c090c7a --- /dev/null +++ b/filebeat/module/iis/access/ingest/pipeline.yml @@ -0,0 +1,139 @@ +description: Pipeline for parsing IIS access logs. Requires the geoip and user_agent + plugins. +processors: +- grok: + field: message + patterns: + - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) + (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) + (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:http.request.referrer}) + (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) + (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})' + - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{WORD:http.request.method}) + (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) + (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:iis.access.cookie}) + (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) (?:-|%{NUMBER:http.response.status_code:long}) + (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) + (?:-|%{NUMBER:http.response.body.bytes:long}) (?:-|%{NUMBER:http.request.body.bytes:long}) + (?:-|%{NUMBER:temp.duration:long})' + - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{NOTSPACE:iis.access.site_name}) (?:-|%{NOTSPACE:iis.access.server_name}) + (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) + (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) + (?:-|%{IPORHOST:source.address}) (?:-|HTTP/%{NUMBER:http.version}) (?:-|%{NOTSPACE:user_agent.original}) + (?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NOTSPACE:destination.domain}) + (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) + (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) + (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:temp.duration:long})' + - '%{TIMESTAMP_ISO8601:iis.access.time} \[%{IPORHOST:destination.address}\]\(http://%{IPORHOST:destination.address}\) + (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) + (?:-|%{NOTSPACE:user.name}) \[%{IPORHOST:source.address}\]\(http://%{IPORHOST:source.address}\) + (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) + (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})' + - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) + (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) + (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NUMBER:http.response.status_code:long}) + (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) + (?:-|%{NUMBER:temp.duration:long})' + ignore_missing: true +- remove: + field: message +- rename: + field: '@timestamp' + target_field: event.created +- date: + field: iis.access.time + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss +- remove: + field: iis.access.time +- script: + lang: painless + source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) + params: + scale: 1000000 + if: ctx.temp?.duration != null +- remove: + field: temp.duration + ignore_missing: true +- urldecode: + field: user_agent.original + ignore_missing: true +- user_agent: + field: user_agent.original + ignore_missing: true +- grok: + field: destination.address + ignore_failure: true + patterns: + - '%{NOZONEIP:destination.ip}' + pattern_definitions: + NOZONEIP: '[^%]*' +- grok: + field: source.address + ignore_failure: true + patterns: + - '%{NOZONEIP:source.ip}' + pattern_definitions: + NOZONEIP: '[^%]*' +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- set: + field: event.kind + value: event +- append: + field: event.category + value: web +- append: + field: event.category + value: network + if: "ctx?.source?.ip != null && ctx?.destination?.ip != null" +- append: + field: event.type + value: connection + if: "ctx?.source?.ip != null && ctx?.destination?.ip != null" +- lowercase: + field: http.request.method + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- set: + field: event.outcome + value: success + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" +- set: + field: event.outcome + value: failure + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/iis/access/manifest.yml b/filebeat/module/iis/access/manifest.yml index 097afa5ed28..b67f0c7133a 100644 --- a/filebeat/module/iis/access/manifest.yml +++ b/filebeat/module/iis/access/manifest.yml @@ -9,7 +9,7 @@ var: os.windows: - C:/inetpub/logs/LogFiles/*/*.log -ingest_pipeline: ingest/default.json +ingest_pipeline: ingest/pipeline.yml input: config/iis-access.yml requires.processors: diff --git a/filebeat/module/iis/access/test/test-iis-7.2.log-expected.json b/filebeat/module/iis/access/test/test-iis-7.2.log-expected.json index fe5467b9b1a..990d2a171c1 100644 --- a/filebeat/module/iis/access/test/test-iis-7.2.log-expected.json +++ b/filebeat/module/iis/access/test/test-iis-7.2.log-expected.json @@ -4,23 +4,34 @@ "destination.address": "10.44.0.136", "destination.ip": "10.44.0.136", "destination.port": 8080, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 0, + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.status_code": 404, "iis.access.sub_status": 0, "iis.access.win32_status": 64, "input.type": "log", "log.offset": 0, + "related.ip": [ + "10.50.6.188", + "10.44.0.136" + ], "service.type": "iis", "source.address": "10.50.6.188", "source.ip": "10.50.6.188", "url.path": "/pbserver/..\u00c0\u00af..\u00c0\u00af..\u00c0\u00af..\u00c0\u00af..\u00c0\u00af../winnt/system32/cmd.exe", "url.query": "/c+dir+c:\\+/OG", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "IE", "user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", @@ -34,23 +45,34 @@ "destination.address": "10.44.0.136", "destination.ip": "10.44.0.136", "destination.port": 8080, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 46000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.status_code": 404, "iis.access.sub_status": 0, "iis.access.win32_status": 2, "input.type": "log", "log.offset": 213, + "related.ip": [ + "10.50.6.188", + "10.44.0.136" + ], "service.type": "iis", "source.address": "10.50.6.188", "source.ip": "10.50.6.188", "url.path": "/pbserver/..\u00c1\u00c1..\u00c1\u00c1..\u00c1\u00c1..\u00c1\u00c1..\u00c1\u00c1../winnt/system32/cmd.exe", "url.query": "/c+dir+c:\\+/OG", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "IE", "user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", @@ -64,23 +86,33 @@ "destination.address": "10.44.0.136", "destination.ip": "10.44.0.136", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 0, + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.status_code": 401, "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 426, + "related.ip": [ + "10.50.6.188", + "10.44.0.136" + ], "service.type": "iis", "source.address": "10.50.6.188", "source.ip": "10.50.6.188", "url.path": "/Director", - "url.query": "-", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "IE", "user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", @@ -94,23 +126,33 @@ "destination.address": "10.44.0.136", "destination.ip": "10.44.0.136", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 0, + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.status_code": 401, "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 568, + "related.ip": [ + "10.50.6.188", + "10.44.0.136" + ], "service.type": "iis", "source.address": "10.50.6.188", "source.ip": "10.50.6.188", "url.path": "/", - "url.query": "-", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "IE", "user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", @@ -124,23 +166,34 @@ "destination.address": "10.44.0.136", "destination.ip": "10.44.0.136", "destination.port": 8080, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 15000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.status_code": 404, "iis.access.sub_status": 0, "iis.access.win32_status": 64, "input.type": "log", "log.offset": 702, + "related.ip": [ + "10.50.6.188", + "10.44.0.136" + ], "service.type": "iis", "source.address": "10.50.6.188", "source.ip": "10.50.6.188", "url.path": "/pbserver/..\u00c1\u0153..\u00c1\u0153..\u00c1\u0153..\u00c1\u0153..\u00c1\u0153../winnt/system32/cmd.exe", "url.query": "/c+dir+c:\\+/OG", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "IE", "user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", diff --git a/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json b/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json index b11435f2f1c..0c3a2abb1b1 100644 --- a/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json +++ b/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json @@ -4,22 +4,33 @@ "destination.address": "10.100.220.70", "destination.ip": "10.100.220.70", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 792000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 404, "iis.access.sub_status": 4, "iis.access.win32_status": 2, "input.type": "log", "log.offset": 244, + "related.ip": [ + "10.100.118.31", + "10.100.220.70" + ], "service.type": "iis", "source.address": "10.100.118.31", "source.ip": "10.100.118.31", "url.path": "/", - "url.query": "-", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "IE", "user_agent.original": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR[ 2.0.50727](tel: 2050727); .NET CLR 3.0.30729)", @@ -33,74 +44,98 @@ "destination.address": "10.0.140.107", "destination.ip": "10.0.140.107", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 15000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "success", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 200, "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 532, + "related.ip": [ + "10.0.140.2", + "10.0.140.107" + ], "service.type": "iis", "source.address": "10.0.140.2", "source.ip": "10.0.140.2", - "url.path": "/health-monitoring", - "url.query": "-", - "user.name": "-", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "-" + "url.path": "/health-monitoring" }, { "@timestamp": "2019-03-06T18:43:17.000Z", "destination.address": "10.0.140.107", "destination.ip": "10.0.140.107", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 15000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "success", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 200, "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 619, + "related.ip": [ + "10.0.140.2", + "10.0.140.107" + ], "service.type": "iis", "source.address": "10.0.140.2", "source.ip": "10.0.140.2", - "url.path": "/health-monitoring", - "url.query": "-", - "user.name": "-", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "-" + "url.path": "/health-monitoring" }, { "@timestamp": "2019-03-06T18:43:17.000Z", "destination.address": "2001:cdba:0000:0000:0000:0000:3257:9652", "destination.ip": "2001:cdba:0000:0000:0000:0000:3257:9652", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 15000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "success", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 200, "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 706, + "related.ip": [ + "2001:cdba:0000:0000:0000:0000:3257:9652", + "2001:cdba:0000:0000:0000:0000:3257:9652" + ], "service.type": "iis", "source.address": "2001:cdba:0000:0000:0000:0000:3257:9652", "source.ip": "2001:cdba:0000:0000:0000:0000:3257:9652", - "url.path": "/health-monitoring", - "url.query": "-", - "user.name": "-", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "-" + "url.path": "/health-monitoring" } ] \ No newline at end of file diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json index b64789ad2ae..357380f628e 100644 --- a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json +++ b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json @@ -5,29 +5,38 @@ "destination.domain": "example.com", "destination.ip": "::1", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 789000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "success", + "event.type": [ + "connection" + ], "fileset.name": "access", "http.request.body.bytes": 456, - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.body.bytes": 123, "http.response.status_code": 200, "http.version": "1.1", - "iis.access.cookie": "-", "iis.access.server_name": "MACHINE-NAME", "iis.access.site_name": "W3SVC1", "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 331, + "related.ip": [ + "::1", + "::1" + ], "service.type": "iis", "source.address": "::1%0", "source.ip": "::1", "url.path": "/", - "url.query": "-", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index 6b0a9120c1a..7ef0cfac036 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -4,17 +4,29 @@ "destination.address": "127.0.0.1", "destination.ip": "127.0.0.1", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 123000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "success", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.status_code": 200, "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 257, + "related.ip": [ + "85.181.35.98", + "127.0.0.1" + ], "service.type": "iis", "source.address": "85.181.35.98", "source.as.number": 6805, @@ -29,7 +41,6 @@ "source.ip": "85.181.35.98", "url.path": "/", "url.query": "q=100", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0", @@ -42,27 +53,31 @@ "@timestamp": "2018-01-01T09:10:11.000Z", "destination.domain": "example.com", "destination.port": 80, + "event.category": [ + "web" + ], "event.dataset": "iis.access", "event.duration": 789000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "success", "fileset.name": "access", "http.request.body.bytes": 456, - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.body.bytes": 123, "http.response.status_code": 200, - "iis.access.cookie": "-", "iis.access.site_name": "W3SVC1", "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 709, + "related.ip": [ + "127.0.0.1" + ], "service.type": "iis", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.path": "/", - "url.query": "-", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0", @@ -77,23 +92,34 @@ "destination.domain": "example.com", "destination.ip": "127.0.0.1", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 789000000, + "event.kind": "event", "event.module": "iis", + "event.outcome": "success", + "event.type": [ + "connection" + ], "fileset.name": "access", "http.request.body.bytes": 456, - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.body.bytes": 123, "http.response.status_code": 200, "http.version": "1.1", - "iis.access.cookie": "-", "iis.access.server_name": "MACHINE-NAME", "iis.access.site_name": "W3SVC1", "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 1204, + "related.ip": [ + "85.181.35.98", + "127.0.0.1" + ], "service.type": "iis", "source.address": "85.181.35.98", "source.as.number": 6805, @@ -107,8 +133,6 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.path": "/", - "url.query": "-", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", @@ -122,23 +146,34 @@ "destination.address": "10.44.0.136", "destination.ip": "10.44.0.136", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 0, + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.status_code": 401, "iis.access.sub_status": 0, "iis.access.win32_status": 0, "input.type": "log", "log.offset": 1447, + "related.ip": [ + "10.50.6.188", + "10.44.0.136" + ], "service.type": "iis", "source.address": "10.50.6.188", "source.ip": "10.50.6.188", "url.path": "/", "url.query": "redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.getSession().getServletContext().getRealPath('/'),%23resp.println(%23webroot),%23resp.flush(),%23resp.close()}", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "IE", "user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", @@ -152,23 +187,33 @@ "destination.address": "10.44.0.136", "destination.ip": "10.44.0.136", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.access", "event.duration": 0, + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "access", - "http.request.method": "GET", - "http.request.referrer": "-", + "http.request.method": "get", "http.response.status_code": 404, "iis.access.sub_status": 0, "iis.access.win32_status": 2, "input.type": "log", "log.offset": 1802, + "related.ip": [ + "10.50.6.188", + "10.44.0.136" + ], "service.type": "iis", "source.address": "10.50.6.188", "source.ip": "10.50.6.188", "url.path": "/${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action", - "url.query": "-", - "user.name": "-", "user_agent.device.name": "Other", "user_agent.name": "IE", "user_agent.original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", diff --git a/filebeat/module/iis/error/ingest/default.json b/filebeat/module/iis/error/ingest/default.json deleted file mode 100644 index 86becffe28d..00000000000 --- a/filebeat/module/iis/error/ingest/default.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "description": "Pipeline for parsing IIS error logs. Requires the geoip plugin.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:source.address} %{NUMBER:source.port:long} %{IPORHOST:destination.address} %{IPORHOST:destination.port:long} (?:HTTP/%{NUMBER:http.version}|-) (?:%{WORD:http.request.method}|-) (?:-|%{NOTSPACE:url.original}) (?:%{NUMBER}|-) (?:%{NUMBER:http.response.status_code:long}|-) (?:%{NUMBER}|-) (?:-|%{NOTSPACE:iis.error.reason_phrase}) (?:-|%{NOTSPACE:iis.error.queue_name})", - "%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:source.address} %{NUMBER:source.port:long} %{IPORHOST:destination.address} %{IPORHOST:destination.port:long} (?:HTTP/%{NUMBER:http.version}|-) (?:%{WORD:http.request.method}|-) (?:-|%{NOTSPACE:url.original}) (?:%{NUMBER:http.response.status_code:long}|-) (?:%{NUMBER}|-) (?:-|%{NOTSPACE:iis.error.reason_phrase}) (?:-|%{NOTSPACE:iis.error.queue_name})" - ], - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "@timestamp", - "target_field": "event.created" - } - }, - { - "date": { - "field": "iis.error.time", - "target_field": "@timestamp", - "formats": [ - "yyyy-MM-dd HH:mm:ss" - ] - } - }, - { - "remove": { - "field": "iis.error.time" - } - }, - { - "grok": { - "field": "destination.address", - "patterns": [ - "%{NOZONEIP:destination.ip}" - ], - "pattern_definitions": { - "NOZONEIP": "[^%]*" - } - } - }, - { - "grok": { - "field": "source.address", - "patterns": [ - "%{NOZONEIP:source.ip}" - ], - "pattern_definitions": { - "NOZONEIP": "[^%]*" - } - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - } - ], - "on_failure": [ - { - "set": { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}" - } - } - ] -} diff --git a/filebeat/module/iis/error/ingest/pipeline.yml b/filebeat/module/iis/error/ingest/pipeline.yml new file mode 100644 index 00000000000..4e43aeac0bc --- /dev/null +++ b/filebeat/module/iis/error/ingest/pipeline.yml @@ -0,0 +1,96 @@ +description: Pipeline for parsing IIS error logs. Requires the geoip plugin. +processors: +- grok: + field: message + patterns: + - '%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:source.address} %{NUMBER:source.port:long} + %{IPORHOST:destination.address} %{IPORHOST:destination.port:long} (?:HTTP/%{NUMBER:http.version}|-) + (?:%{WORD:http.request.method}|-) (?:-|%{NOTSPACE:url.original}) (?:%{NUMBER}|-) + (?:%{NUMBER:http.response.status_code:long}|-) (?:%{NUMBER}|-) (?:-|%{NOTSPACE:iis.error.reason_phrase}) + (?:-|%{NOTSPACE:iis.error.queue_name})' + - '%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:source.address} %{NUMBER:source.port:long} + %{IPORHOST:destination.address} %{IPORHOST:destination.port:long} (?:HTTP/%{NUMBER:http.version}|-) + (?:%{WORD:http.request.method}|-) (?:-|%{NOTSPACE:url.original}) (?:%{NUMBER:http.response.status_code:long}|-) + (?:%{NUMBER}|-) (?:-|%{NOTSPACE:iis.error.reason_phrase}) (?:-|%{NOTSPACE:iis.error.queue_name})' + ignore_missing: true +- remove: + field: message +- rename: + field: '@timestamp' + target_field: event.created +- date: + field: iis.error.time + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss +- remove: + field: iis.error.time +- grok: + field: destination.address + patterns: + - '%{NOZONEIP:destination.ip}' + pattern_definitions: + NOZONEIP: '[^%]*' +- grok: + field: source.address + patterns: + - '%{NOZONEIP:source.ip}' + pattern_definitions: + NOZONEIP: '[^%]*' +- geoip: + field: source.ip + target_field: source.geo + ignore_failure: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- set: + field: event.kind + value: event +- append: + field: event.category + value: web +- append: + field: event.category + value: network + if: "ctx?.source?.ip != null && ctx?.destination?.ip != null" +- append: + field: event.type + value: connection + if: "ctx?.source?.ip != null && ctx?.destination?.ip != null" +- lowercase: + field: http.request.method + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- set: + field: event.outcome + value: success + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" +- set: + field: event.outcome + value: failure + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/iis/error/manifest.yml b/filebeat/module/iis/error/manifest.yml index 577742f6e39..7c08f613d27 100644 --- a/filebeat/module/iis/error/manifest.yml +++ b/filebeat/module/iis/error/manifest.yml @@ -9,7 +9,7 @@ var: os.windows: - c:/Windows/System32/LogFiles/HTTPERR/*.log -ingest_pipeline: ingest/default.json +ingest_pipeline: ingest/pipeline.yml input: config/iis-error.yml requires.processors: diff --git a/filebeat/module/iis/error/test/iis_error_url.log-expected.json b/filebeat/module/iis/error/test/iis_error_url.log-expected.json index d18fa31544b..03258176f35 100644 --- a/filebeat/module/iis/error/test/iis_error_url.log-expected.json +++ b/filebeat/module/iis/error/test/iis_error_url.log-expected.json @@ -4,8 +4,17 @@ "destination.address": "192.168.101.101", "destination.ip": "192.168.101.101", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", "http.request.method": "t3", "http.response.status_code": 400, @@ -13,6 +22,10 @@ "iis.error.reason_phrase": "URL", "input.type": "log", "log.offset": 0, + "related.ip": [ + "149.42.83.135", + "192.168.101.101" + ], "service.type": "iis", "source.address": "149.42.83.135", "source.geo.continent_name": "North America", @@ -28,15 +41,28 @@ "destination.address": "192.168.101.101", "destination.ip": "192.168.101.101", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 400, "http.version": "1.1", "iis.error.reason_phrase": "URL", "input.type": "log", "log.offset": 91, + "related.ip": [ + "149.42.83.135", + "192.168.101.101" + ], "service.type": "iis", "source.address": "149.42.83.135", "source.geo.continent_name": "North America", @@ -52,15 +78,28 @@ "destination.address": "192.168.101.101", "destination.ip": "192.168.101.101", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 403, "http.version": "1.1", "iis.error.reason_phrase": "Forbidden", "input.type": "log", "log.offset": 211, + "related.ip": [ + "149.42.83.135", + "192.168.101.101" + ], "service.type": "iis", "source.address": "149.42.83.135", "source.geo.continent_name": "North America", @@ -76,15 +115,28 @@ "destination.address": "192.168.101.101", "destination.ip": "192.168.101.101", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 400, "http.version": "1.1", "iis.error.reason_phrase": "URL", "input.type": "log", "log.offset": 333, + "related.ip": [ + "149.42.83.135", + "192.168.101.101" + ], "service.type": "iis", "source.address": "149.42.83.135", "source.geo.continent_name": "North America", @@ -100,15 +152,28 @@ "destination.address": "192.168.101.101", "destination.ip": "192.168.101.101", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 404, "http.version": "1.1", "iis.error.reason_phrase": "NotFound", "input.type": "log", "log.offset": 450, + "related.ip": [ + "149.42.83.135", + "192.168.101.101" + ], "service.type": "iis", "source.address": "149.42.83.135", "source.geo.continent_name": "North America", @@ -124,15 +189,28 @@ "destination.address": "192.168.101.101", "destination.ip": "192.168.101.101", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 403, "http.version": "1.1", "iis.error.reason_phrase": "Forbidden", "input.type": "log", "log.offset": 602, + "related.ip": [ + "149.42.83.135", + "192.168.101.101" + ], "service.type": "iis", "source.address": "149.42.83.135", "source.geo.continent_name": "North America", @@ -148,15 +226,28 @@ "destination.address": "192.168.101.101", "destination.ip": "192.168.101.101", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "OPTIONS", + "http.request.method": "options", "http.response.status_code": 404, "http.version": "1.1", "iis.error.reason_phrase": "NotFound", "input.type": "log", "log.offset": 733, + "related.ip": [ + "149.42.83.135", + "192.168.101.101" + ], "service.type": "iis", "source.address": "149.42.83.135", "source.geo.continent_name": "North America", @@ -172,15 +263,28 @@ "destination.address": "192.168.101.101", "destination.ip": "192.168.101.101", "destination.port": 443, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 400, "http.version": "1.1", "iis.error.reason_phrase": "URL", "input.type": "log", "log.offset": 829, + "related.ip": [ + "149.42.83.135", + "192.168.101.101" + ], "service.type": "iis", "source.address": "149.42.83.135", "source.geo.continent_name": "North America", diff --git a/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json b/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json index f6838b25441..ebcb2f36b84 100644 --- a/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json +++ b/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json @@ -4,12 +4,24 @@ "destination.address": "::1%0", "destination.ip": "::1", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.type": [ + "connection" + ], "fileset.name": "error", "iis.error.reason_phrase": "Timer_ConnectionIdle", "input.type": "log", "log.offset": 195, + "related.ip": [ + "::1", + "::1" + ], "service.type": "iis", "source.address": "::1%0", "source.ip": "::1", diff --git a/filebeat/module/iis/error/test/test.log-expected.json b/filebeat/module/iis/error/test/test.log-expected.json index 38ee5458bd8..8a78dd9876d 100644 --- a/filebeat/module/iis/error/test/test.log-expected.json +++ b/filebeat/module/iis/error/test/test.log-expected.json @@ -4,15 +4,28 @@ "destination.address": "172.31.77.6", "destination.ip": "172.31.77.6", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 503, "http.version": "1.1", "iis.error.reason_phrase": "ConnLimit", "input.type": "log", "log.offset": 186, + "related.ip": [ + "172.31.77.6", + "172.31.77.6" + ], "service.type": "iis", "source.address": "172.31.77.6", "source.ip": "172.31.77.6", @@ -24,15 +37,28 @@ "destination.address": "127.0.0.1", "destination.ip": "127.0.0.1", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 400, "http.version": "1.1", "iis.error.reason_phrase": "Hostname", "input.type": "log", "log.offset": 286, + "related.ip": [ + "85.181.35.98", + "127.0.0.1" + ], "service.type": "iis", "source.address": "85.181.35.98", "source.as.number": 6805, @@ -53,15 +79,28 @@ "destination.address": "127.0.0.1", "destination.ip": "127.0.0.1", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.outcome": "failure", + "event.type": [ + "connection" + ], "fileset.name": "error", - "http.request.method": "GET", + "http.request.method": "get", "http.response.status_code": 505, "http.version": "2.0", "iis.error.reason_phrase": "Version_N/S", "input.type": "log", "log.offset": 384, + "related.ip": [ + "85.181.35.98", + "127.0.0.1" + ], "service.type": "iis", "source.address": "85.181.35.98", "source.as.number": 6805, @@ -82,12 +121,24 @@ "destination.address": "127.0.0.1", "destination.ip": "127.0.0.1", "destination.port": 80, + "event.category": [ + "web", + "network" + ], "event.dataset": "iis.error", + "event.kind": "event", "event.module": "iis", + "event.type": [ + "connection" + ], "fileset.name": "error", "iis.error.reason_phrase": "Timer_MinBytesPerSecond", "input.type": "log", "log.offset": 470, + "related.ip": [ + "85.181.35.98", + "127.0.0.1" + ], "service.type": "iis", "source.address": "85.181.35.98", "source.as.number": 6805,