Suggestion for field name

opoplawski · July 21, 2020, 10:04pm

I'm parsing logs from e2guardian - a web filter. One of the fields is basically "why" a request was block. For e.g.:

2020.04.06 12:21:37     -       10.11.2.22      https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-23460252-1&cid=840626379.1586197112&jid=529282670&_gid=2125124794.1586197112&gjid=493219403&_v=j81&z=169728763   *DENIED* Blocked site: doubleclick.net  GET     0       0       - 1403     -       10.11.2.22      no_name_group

I'm looking for suggestions for a field name to use for this. Currently I'm just calling this "why"

match => { "message" => "(?<e2_timestamp>\d\d\d\d\.\d\d\.\d\d \d\d:\d\d:\d\d)\t%{NOTSPACE:user.name}\t%{IP:client.address}\t%{NOTSPACE:url.full}\t%{NOTSPACE:action} ?(hw\d+: )?(?<why>[^\t]+)?\t%{WORD:http.request.method}\t%{NUMBER:http.request.bytes}\t\d+\t[^\t]+\t[^\t]+\t%{NUMBER:http.response.status_code}\t[^\t]+\t%{IP:client.ip}" }

but that currently isn't defined.

ebeahan · July 21, 2020, 11:51pm

Hi @opoplawski!

The action being observed in an event should be captured in event.action. There's also an opportunity to leverage the categorization fields to better capture the "what it is" of the event.

For example, using the current example web filter event:

event.kind: "event"
event.category: [ "network" ]
event.type: [ "connection", "denied" ]
event.outcome: "success"

The docs covering the different event field set can be found here.

webmat · July 22, 2020, 1:01pm

Looking at the grok, it seems like there's both an action and a reason defined by the source, however.

Perhaps adding event.reason would be useful, actually

Note: I see the "action" field is not using the ECS field, I would recommend moving it to %{NOTSPACE:event.action}

opoplawski · July 22, 2020, 7:12pm

Thanks. Two questions:

Is event type "access" relevant here as well?
Is event.outcome "success" correct for a connection being denied?

opoplawski · July 22, 2020, 7:13pm

RIght, it's the reason that I'm having a hard time figuring out where to place.

ebeahan · July 24, 2020, 3:50am

Is event type "access" relevant here as well?

I would say no since the connection is being denied and the resource ultimately wasn't accessed.

Is event.outcome "success" correct for a connection being denied?

From the perspective of the entity that emitted the event, the web filter, the blocked connection was a successful and expected operation, so success is appropriate.

system · August 21, 2020, 5:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.