Customize filebeat iis log increase x-forwarded-for

Fabio_Scoppetta · June 23, 2020, 11:19am

Hello,

I am use elk 7.3.2 and metricbeat for monitoring capacity environment
Now I am trying to use to log iis with x-forwarded-for but in elasitc and kibana i not was saw the public ip

for example log
2020-06-22 12:48:57 172.xxx.xxx.xxx GET /acxxxxx/index - 80 - Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/83.0.4103.106+Safari/537.36 https://xxxxxx.xxxxx.com.br/Acompxxxxx/Servxxxxx 200 0 0 715 177.xxx.xxx.xxx

I looked in some of forums and change file default.json and i am trying to change this file to change source.address in patterns to source.address2 and put in the end of pattern source.address and restart filebeat agent. I didnt see changes. I need to run filebeat setup again ? whats my mistake?
defaut.json modified

{
  "description": "Pipeline for parsing IIS access logs. Requires the geoip and user_agent plugins.",
  "processors": [{
    "grok": {
      "field": "message",
      "patterns":[
        "%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATHWITHBRACKET:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address2} %{NOTSPACE:user_agent.original} %{NOTSPACE:http.request.referrer} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long} %{IPORHOST:source.address}",
        "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address2} %{NOTSPACE:user_agent.original} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:temp.duration:long} %{IPORHOST:source.address}",
        "%{TIMESTAMP_ISO8601:iis.access.time} %{NOTSPACE:iis.access.site_name} %{NOTSPACE:iis.access.server_name} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address2} HTTP/%{NUMBER:http.version} %{NOTSPACE:user_agent.original} %{NOTSPACE:iis.access.cookie} %{NOTSPACE:http.request.referrer} %{NOTSPACE:destination.domain} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:temp.duration:long} %{IPORHOST:source.address}",
        "%{TIMESTAMP_ISO8601:iis.access.time} \\[%{IPORHOST:destination.address}\\]\\(http://%{IPORHOST:destination.address}\\) %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} \\[%{IPORHOST:source.address2}\\]\\(http://%{IPORHOST:source.address2}\\) %{NOTSPACE:user_agent.original} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long} %{IPORHOST:source.address}",
        "%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address2} %{NOTSPACE:user_agent.original} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:temp.duration:long} %{IPORHOST:source.address}"
      ],
      "pattern_definitions": {
          "URIPATHWITHBRACKET": "(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\\-\\[\\]]*)+"
      },
      "ignore_missing": true
    }
  }, {
    "remove":{
      "field": "message"
    }
  }, {
    "rename": {
      "field": "@timestamp",
      "target_field": "event.created"
    }
  }, {
    "date": {
      "field": "iis.access.time",
      "target_field": "@timestamp",
      "formats": ["yyyy-MM-dd HH:mm:ss"]
    }
  }, {
    "remove": {
      "field": "iis.access.time"
    }
  }, {
    "script": {
      "lang": "painless",
      "source": "ctx.event.duration = Math.round(ctx.temp.duration * params.scale)",
      "params": { "scale": 1000000 },
      "if": "ctx.temp?.duration != null"
    }
  }, {
    "remove": {
      "field": "temp.duration",
      "ignore_missing": true
    }
  }, {
    "urldecode": {
      "field": "user_agent.original"
    }
  }, {
    "user_agent": {
      "field": "user_agent.original"
    }
  }, {
    "grok": {
      "field": "destination.address",
      "ignore_failure": true,
      "patterns": [
        "%{NOZONEIP:destination.ip}"
      ],
      "pattern_definitions": {
         "NOZONEIP": "[^%]*"
      }
    }
  }, {
    "grok": {
      "field": "source.address",
      "ignore_failure": true,
      "patterns": [
        "%{NOZONEIP:source.ip}"
      ],
      "pattern_definitions": {
         "NOZONEIP": "[^%]*"
      }
    }
  }, {
    "geoip": {
      "field": "source.ip",
      "target_field": "source.geo",
      "ignore_missing": true
    }
  }],
  "on_failure" : [{
    "set" : {
      "field" : "error.message",
      "value" : "{{ _ingest.on_failure_message }}"
    }
  }]
}

Fabio_Scoppetta · June 24, 2020, 9:28pm

i found
i need to put default.json like a github comment issue

Invoke-WebRequest -uri http://:9200/_ingest/pipeline/filebeat-7.2.0-iis-access-default -ContentType "application/json" -InFile "default.json" -Method PUT

system · July 22, 2020, 11:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.