GeoIP Enrichment for private IPs in CIDR form whilst using IIS logs input in filebeat

Elastic Stack Beats
1

Hi,

This is a weird problem I am facing. I am using the IIS logs input for filebeat, which creates an ingest-pipeline in ES, thus I can see that the data leaving filebeat is an unmodified string.

I created some add_fields processors in filebeat, which are properly detected at the startup.

Since there is no cidrMatch or network processor for painless available, I cannot rewrite the IIS ingest pipeline to append my private geolocation.

In my head the current flow is the following:

  1. Filebeat read line from file
  2. filebeat does not touch that line and sends it as a string to ES using the IIS ingest_pipeline
  3. ES does index pipeline magic
  4. data is properly indexed

If I add pipeline: xyz in the output.elasticsearch config, is this pipeline skipped? How do you chain pipelines using the default filebeat settings for such modules?

Possible solutions:

  1. Modify the maxmind geoip database. ==> I do not like that idea...

  2. Use some painless magic ==> No idea how to properly solve a CIDR mapping, without writing a lot of things by hand. E.g. I would have to create a mapping for /8, /16, /... to resolve to 192.168.0.0/16 to 192.168.0.0 - 192.168.255.255

  3. Use logstash ==> Not possible would mean I have to port the IIS ingest pipeline to logstash.

  4. Rewrite the IIS ingest pipeline to a local beats javascript processor ==> well, could be done, but has to be tested every time the release notes mention something about processors and IIS module.

All the relevant posts linked in this "mega" thread Creating geoip data for internal networks do not really apply to my use case, as I have to deal with an ES ingest pipeline.

For the sake of it:
Filebeat, ES, Kibana, everything basically version 7.8.0

startup log 
2020-06-22T12:57:11.210+0200    DEBUG   [conditions]    conditions/conditions.go:98     New condition network:(source.ip:192.168.0.0/16)
2020-06-22T12:57:11.210+0200    DEBUG   [conditions]    conditions/conditions.go:98     New condition network:(destination.ip:192.168.0.0/16)
filebeat processor 
 - add_fields:
     when.network.source.ip: 192.168.0.0/16
     fields:
       source.geo.location:
         lat: 47.060658
         lon: 15.447569
     target: ''
 - add_fields:
     when.network.destination.ip: 192.168.0.0/16
     fields:
       source.geo.location:
         lat: 47.060658
         lon: 15.447569
     target: ''
debug json from filebeat 
2020-06-22T12:33:21.436+0200    DEBUG   [processors]    processing/processors.go:187    Publish event: {
  "@timestamp": "2020-06-22T10:33:21.436Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.8.0",
    "pipeline": "filebeat-7.8.0-iis-access-pipeline"
  },
  "message": "2020-06-22 06:00:34 POST /mapi/emsmdb/ MailboxId=9d3364e3-7765-4682-1234-b5c24462f997@domain.com&CorrelationID=<empty>;&ClientId=EMIV9JOYUOLCPPCRXXHD&ClientRequestInfo=R:{F3E4EFAE-AC36-4B46-ABCD-32A3940FE8E1}:72;CI:{34FE85E5-DBC8-4D89-ABCD-BC5E4AE4C473}:18;RT:NotificationWait&cafeReqId=bd7f6780-abcd-41da-8178-a5b103bfaaa5; domain\\pkahr 192.168.1.1 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.4266;+Pro) ClientId=EMIV9JOYUOLCPPCRABCD;MapiContext=MAPIAAAAAPaj+87+yf3e7Nzu3vPDahgzrqjruqtNnBwAAAAAA;MapiSequence=34-nBbhJA==;X-BackEndCookie=9d3364e3-abcd-ddef-aaaa-b5c24462f997=u56Lnp2ej/SnZ6ZyNLLyp7M0p3I0s3Nq8/KxcvHxczH 200",
  "input": {
    "type": "log"
  },
  "fileset": {
    "name": "access"
  },
  "agent": {
    "version": "7.8.0",
    "hostname": "my-iss-server",
    "ephemeral_id": "3f685b87-abcd-4de3-81ce-adec2d8c4292",
    "id": "fba4df89-abcd-41e6-b776-7fbb7a760a1f",
    "name": "my-iss-server",
    "type": "filebeat"
  },
  "log": {
    "offset": 910469,
    "file": {
      "path": "C:\\inetpub\\logs\\LogFiles\\1\\u_ex20062206.log"
    }
  },
  "tags": [
    "exchange"
  ],
  "service": {
    "type": "iis"
  },
  "event": {
    "module": "iis",
    "dataset": "iis.access"
  },
  "ecs": {
    "version": "1.5.0"
  }
}
raw document 
{
  "_index": "filebeat-7.8.0-2020.06.19-000001",
  "_type": "_doc",
  "_id": "Ff-t23IBaPYAommVthG0",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
        "version": "7.8.0",
        "hostname": "my-iss-server",
        "ephemeral_id": "3f685b87-abcd-4de3-81ce-adec2d8c4292",
        "id": "fba4df89-abcd-41e6-b776-7fbb7a760a1f",
        "name": "my-iss-server",
        "type": "filebeat"
    },
    "temp": {},
    "log": {
      "file": {
        "path": "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex20062210.log"
      },
      "offset": 564178678
    },
    "destination": {
      "address": "192.168.1.100",
      "port": 444,
      "ip": "192.168.1.100"
    },
    "source": {
      "address": "192.168.1.1",
      "ip": "192.168.1.1"
    },
    "fileset": {
      "name": "access"
    },
    "url": {
      "path": "/mapi/emsmdb/",
      "query": "MailboxId=9d3364e3-7765-4682-1234-b5c24462f997@domain.com&CorrelationID=<empty>;&ClientId=EMIV9JOYUOLCPPCRXXHD&ClientRequestInfo=R:{F3E4EFAE-AC36-4B46-ABCD-32A3940FE8E1}:72;CI:{34FE85E5-DBC8-4D89-ABCD-BC5E4AE4C473}:18;RT:NotificationWait&cafeReqId=bd7f6780-abcd-41da-8178-a5b103bfaaa5; domain\\pkahr 192.168.1.1 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.4266;+Pro) ClientId=EMIV9JOYUOLCPPCRABCD;MapiContext=MAPIAAAAAPaj+87+yf3e7Nzu3vPDahgzrqjruqtNnBwAAAAAA;MapiSequence=34-nBbhJA==;X-BackEndCookie=9d3364e3-abcd-ddef-aaaa-b5c24462f997=u56Lnp2ej/SnZ6ZyNLLyp7M0p3I0s3Nq8/KxcvHxczH"
    },
    "tags": ["exchange"],
    "input": {
      "type": "log"
    },
    "iis": {
      "access": {
        "sub_status": 0,
        "win32_status": 0
      }
    },
    "@timestamp": "2020-06-22T10:58:14.000Z",
    "ecs": {
      "version": "1.5.0"
    },
    "related": {
      "user": ["domain\\\\pkahr"]
    },
    "service": {
      "type": "iis"
    },
    "http": {
      "request": {
        "method": "POST"
      },
      "response": {
        "status_code": 200
      }
    },
    "user": {
      "name": "domain\\pkahr"
    },
    "user_agent": {
      "original": "Microsoft+Outlook+16.0.4266",
      "os": {
        "name": "Microsoft Outlook",
        "version": "16.0.4266",
        "full": "Microsoft Outlook 16.0.4266"
      }
    }
  }
}
2

I don't know what pipeline IIS goes through, but the filebeat osquery module goes through one called filebeat-7.5.0-osquery-result-pipeline. I updated that pipeline to add one extra processor right at the end:

      {
    "pipeline" : {
      "name" : "osquery-custom-branch-pipe"
    }
  }
],

That pipeline gets executed at teh end of the default one, and it itself is just a set of additional pipeline/if clauses that call out to a couple different pipelines that actually 'do work'

Yes, this does mean that there is one additional step when I upgrade versions but it isn't a complicated one.

(Metricbeat doesn't use prebuilt pipelines, so for those modules, I've just added pipeline:foo to the metric beat.yml like you mentioned)

3

Hi,

Thanks for that, I expected something like this. I personally still feel that this is weird. Yeah IIS has also an ingest pipeline just like apache module and so on. I think Netflow, Syslog are few of the modules that get parsed within filebeat.

Some sort of flag / notification would be nice. I am missing that from the docs.

4

I do think it would be a nice upgrade if the pipeline option in teh main config .yml had some sort of extra flag that would indicate like "use this one only" or "run this pipeline after any built-in pipelines were run" ... but I haven't put much thought in to that... maybe the right way would be an extra commend line flag for the beat module install so it would install the built-in pipeline but also tack on call to your custom pipe as part of it... something...

5

I guess I should be able todo this GeoIP enrichment with a bit of work using the enrich processor https://www.elastic.co/guide/en/elasticsearch/reference/master/enrich-setup.html

but that is all not round just does not feel right.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.