This repository has been archived by the owner on Dec 6, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 32
/
w3c-extended-iis.conf
144 lines (135 loc) · 6.43 KB
/
w3c-extended-iis.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# vim: syntax=python
# This configuration files goes with the proxy-bluecoat.py script to generate the adequate columns.
# ./proxy-bluecoat.py -c w3c-extended-iis.conf -l <yourlogfile>
#
# Please check https://github.com/cvandeplas/ELK-forensics for more information.
# Created by Christophe Vandeplas <[email protected]>
input {
tcp {
type => "w3c_extended_iis"
port => 18003
# Most of the proxy files are encoded in UTF-8, however the files mix charactersets. (CP1252 and others). There's no way to solve this problem.
#codec => line { charset => "CP1252" }
}
}
filter {
if [type] == "w3c_extended_iis" {
# drop comment lines
if ([message] =~ /^#/) {
drop{}
}
csv {
columns => ["date", "time", "s_ip", "cs_method", "cs_uri_stem", "cs_uri_query", "s_port", "cs_username", "c_ip", "cs_user_agent", "sc_status", "sc_substatus", "sc_win32_status", "time_taken"]
separator => " "
}
####
# All possible values for the W3C Extended format of IIS (6.0) are below.
# c = client
# cs = client to server
# s = proxy server related
# sc = server to client
# * = means it's in the Kibana dashboard
####
# date - time - The date on which the activity occurred.
# time - time - The time, in coordinated universal time (UTC), at which the activity occurred.
mutate { merge => ["date", "time"] } # merge and join need to be in 2 separate mutates
mutate { join => ["date", " "] } # merge and join need to be in 2 separate mutates
date {
match => ["date", "YYYY-MM-dd HH:mm:ss" ]
timezone => ['UTC']
}
# c_ip - ip - * The IP address of the client that made the request.
geoip {
source => "c_ip"
}
# s_ip - ip - The IP address of the server on which the log file entry was generated.
# TODO - convert above to ips using the logstash template
# TODO - allow local geoip database for internal IP lookup
# s_port - int - The server port number that is configured for the service.
# sc_status - int - * The HTTP status code.
translate {
field => "sc_status"
destination => "status"
override => true
dictionary => [ "100", "100 Continue",
"101", "101 Switching protocols",
"200", "200 OK",
"201", "201 Created",
"202", "202 Accepted",
"203", "203 Non-authoritative information",
"204", "204 No content",
"205", "205 Reset content",
"206", "206 Partial content",
"207", "207 Multi-Status",
"301", "301 Moved Permanently",
"302", "302 Object moved",
"304", "304 Not modified",
"307", "307 Temporary redirect",
"400", "400 Bad request",
"401", "401 Access denied",
"403", "403 Forbidden",
"404", "404 Not found",
"405", "405 Method not allowed",
"406", "406 Client browser does not accept the MIME type of the requested page",
"407", "407 Proxy authentication required",
"412", "412 Precondition failed",
"413", "413 Request entity too large",
"414", "414 Request-URI too long",
"415", "415 Unsupported media type",
"416", "416 Requested range not satisfiable",
"417", "417 Execution failed",
"423", "423 Locked error",
"500", "500 Internal server error",
"501", "501 Header values specify a configuration that is not implemented",
"502", "502 Web server received an invalid response while acting as a gateway or proxy",
"503", "503 Service unavailable",
"504", "504 Gateway timeout",
"505", "505 HTTP version not supported"
]
}
# sc_substatus - int - The substatus error code.
# sc_win32_status - int - * The Windows status code.
# sc_bytes - int - The number of bytes that the server sent.
# cs_bytes - int - The number of bytes that the server received.
# time_taken - int - The length of time that the action took, in milliseconds.
mutate {
convert => ["s_port", "integer",
"sc_status", "integer",
"sc_win32_status", "integer",
"sc_bytes", "integer",
"cs_bytes", "integer",
"time_taken", "integer",
"sc_substatus", "integer"
]
}
# cs_username - string - * The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen.
# s_sitename - string - The Internet service name and instance number that was running on the client.
# s_computername - string - The name of the server on which the log file entry was generated.
# cs_method - string - * The requested action, for example, a GET method.
# cs_uri_stem - string - * The target of the action, for example, Default.htm.
# cs_uri_query - string - * The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages.
# cs_version - string - The protocol version —HTTP or FTP —that the client used.
# cs_host - string - The host header name, if any.
# cs_user_agent - string - * The browser type that the client used.
if [cs_user_agent] != "" {
useragent { source => "cs_user_agent" prefix => "user_agent." }
}
# cs_cookie - string - The content of the cookie sent or received, if any.
# cs_referrer - string - The site that the user last visited. This site provided a link to the current site.
# cleanup
mutate {
remove_field => ["message", "date", "time"]
}
}
}
output {
if [type] == "w3c_extended_iis" {
elasticsearch {
index => "logstash-%{[type]}-%{+YYYY.MM.dd}"
host => "localhost"
# custom schema
#template_overwrite => true
#template => "/etc/elasticsearch/elasticsearch-template.json"
}
}
}