Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat - Modules Apache - Error : Fix Client IP - missing PORT #12695

Merged
merged 11 commits into from
Jul 1, 2019
Merged

Filebeat - Modules Apache - Error : Fix Client IP - missing PORT #12695

merged 11 commits into from
Jul 1, 2019

Conversation

wixaw
Copy link
Contributor

@wixaw wixaw commented Jun 26, 2019

http://httpd.apache.org/docs/current/mod/core.html#errorlog

Default : ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M"
%a = Client IP address and port of the request

@wixaw
Fix Client IP - missing PORT
4b0e27d 
http://httpd.apache.org/docs/current/mod/core.html#errorlog

Default : ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M"
%a	= Client IP address and port of the request
@wixaw wixaw requested a review from a team as a code owner June 26, 2019 13:30
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@wixaw wixaw changed the title Fix Client IP - missing PORT Filebeat - Modules Apache : Fix Client IP - missing PORT Jun 26, 2019
@wixaw wixaw changed the title Filebeat - Modules Apache : Fix Client IP - missing PORT Filebeat - Modules Apache - Error : Fix Client IP - missing PORT Jun 26, 2019
jsoriano
jsoriano previously requested changes Jun 26, 2019
View reviewed changes
Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for investigating this issue and proposing a fix!
Could you also provide a test file that reproduces this issue? This should be added to filebeat/module/apache/error/test/ directory, you can find other examples there.

filebeat/module/apache/error/ingest/pipeline.json Outdated Show resolved Hide resolved
filebeat/module/apache/error/ingest/pipeline.json Outdated Show resolved Hide resolved
@jsoriano jsoriano added Team:Integrations Label for the Integrations team [zube]: In Review bug Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. review labels Jun 26, 2019
@wixaw
Copy link
Contributor Author

wixaw commented Jun 27, 2019

Hello @jsoriano
I had not tried it on production machines but for your request I did it.
Neither works. When I modify the pipeline.json and I restart filebeat (centos 7) nothing changes
Is this compiled somewhere?
Here is my log of example:
[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 123.123.123.123:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html

This is JSON view in Kibana

{
  "_index": "filebeat-7.1.1-2019.06.11-000001",
  "_type": "_doc",
  "_id": "mLRMl2sBrO6GboNYYi5E",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "servername",
      "id": "d16d6551-9c31-483a-89dc-07521dc178cc",
      "ephemeral_id": "d20240ec-96e9-4465-acf3-518ebdff12da",
      "type": "filebeat",
      "version": "7.1.1"
    },
    "process": {
      "pid": 15934
    },
    "log": {
      "file": {
        "path": "/var/log/httpd/www_error.log"
      },
      "offset": 82805,
      "level": "warn"
    },
    "message": "[client 123.123.123.123:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html",
    "fileset": {
      "name": "error"
    },
    "input": {
      "type": "log"
    },
    "@timestamp": "2019-06-27T06:58:09.169Z",
    "apache": {
      "error": {
        "module": "include"
      }
    },
    "ecs": {
      "version": "1.0.0"
    },
    "service": {
      "type": "apache"
    },
    "host": {
      "hostname": "servername",
      "os": {
        "kernel": "3.10.0-957.1.3.el7.x86_64",
        "codename": "Core",
        "name": "CentOS Linux",
        "family": "redhat",
        "version": "7 (Core)",
        "platform": "centos"
      },
      "containerized": false,
      "name": "servername",
      "id": "98fc39052d3c4fbc9ad38e57fd127ef0",
      "architecture": "x86_64"
    },
    "event": {
      "module": "apache",
      "dataset": "apache.error"
    }
  },
  "fields": {
    "suricata.eve.timestamp": [
      "2019-06-27T06:58:09.169Z"
    ],
    "@timestamp": [
      "2019-06-27T06:58:09.169Z"
    ]
  },
  "highlight": {
    "event.module": [
      "@kibana-highlighted-field@apache@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1561618689169
  ]
}

We see that in message the "client" part is not extracted

wixaw and others added 3 commits June 27, 2019 09:39
jsoriano
jsoriano reviewed Jun 27, 2019
View reviewed changes
Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wixaw thanks for testing my proposal, actually you are right and my change wouldn't be enough because there are additional processors expecting source.address to be just an ip or a host.

Neither works. When I modify the pipeline.json and I restart filebeat (centos 7) nothing changes
Is this compiled somewhere?

The pipeline needs to be installed in Elasticsearch using filebeat setup.

Here is my log of example:
[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 123.123.123.123:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html

Thanks!

filebeat/module/apache/error/ingest/pipeline.json Outdated Show resolved Hide resolved
filebeat/module/apache/error/ingest/pipeline.json Outdated Show resolved Hide resolved
filebeat/module/apache/error/test/test.log Show resolved Hide resolved
@wixaw
Copy link
Contributor Author

wixaw commented Jun 27, 2019

Yesss
Perfect it's work !!
Thanks

{
  "_index": "filebeat-7.1.1-2019.06.11-000001",
  "_type": "_doc",
  "_id": "iLivmGsBrO6GboNYAmxo",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "servername",
      "id": "d16d6551-9c31-483a-89dc-07521dc178cc",
      "ephemeral_id": "5a212816-3cd7-4378-bfbd-79afc938de17",
      "type": "filebeat",
      "version": "7.1.1"
    },
    "process": {
      "pid": 24096
    },
    "log": {
      "file": {
        "path": "/var/log/httpd/www_error.log"
      },
      "offset": 91097,
      "level": "warn"
    },
    "source": {
      "geo": {
        "continent_name": "Europe",
        "country_iso_code": "FR",
        "location": {
          "lon": 2.xxxxxxxx,
          "lat": 4x.xxxxx
        }
      },
      "address": "123.123.123.123,
      "port": "46142",
      "ip": "123.123.123.111"
    },
    "message": "AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html",
    "fileset": {
      "name": "error"
    },
    "input": {
      "type": "log"
    },
    "@timestamp": "2019-06-27T13:25:29.234Z",
    "apache": {
      "error": {
        "module": "include"
      }
    },
    "ecs": {
      "version": "1.0.0"
    },
    "service": {
      "type": "apache"
    },
    "host": {
      "hostname": "servername",
      "os": {
        "kernel": "3.10.0-957.1.3.el7.x86_64",
        "codename": "Core",
        "name": "CentOS Linux",
        "family": "redhat",
        "version": "7 (Core)",
        "platform": "centos"
      },
      "containerized": false,
      "name": "servername",
      "id": "98fc39052d3c4fbc9ad38e57fd127ef0",
      "architecture": "x86_64"
    },
    "event": {
      "module": "apache",
      "dataset": "apache.error"
    }
  },
  "fields": {
    "suricata.eve.timestamp": [
      "2019-06-27T13:25:29.234Z"
    ],
    "@timestamp": [
      "2019-06-27T13:25:29.234Z"
    ]
  },
  "highlight": {
    "event.module": [
      "@kibana-highlighted-field@apache@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1561641929234
  ]
}

@jsoriano jsoriano self-requested a review June 27, 2019 13:47
@jsoriano jsoriano dismissed their stale review June 27, 2019 13:48

Proposed changes addressed

@jsoriano jsoriano merged commit fa8c467 into elastic:master Jul 1, 2019
@jsoriano
Copy link
Member

jsoriano commented Jul 1, 2019

@wixaw merged, thanks!

@jsoriano jsoriano mentioned this pull request Jul 1, 2019
Merged
@jsoriano jsoriano removed the needs_backport PR is waiting to be backported to other branches. label Jul 1, 2019
@jsoriano jsoriano mentioned this pull request Jul 1, 2019
Merged
jsoriano pushed a commit to jsoriano/beats that referenced this pull request Jul 1, 2019
@wixaw @jsoriano
Add support for client addresses with port in Apache error logs (elas…
ee02fba 
…tic#12695)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit fa8c467)
jsoriano pushed a commit to jsoriano/beats that referenced this pull request Jul 1, 2019
@wixaw @jsoriano
Add support for client addresses with port in Apache error logs (elas…
1af3448 
…tic#12695)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit fa8c467)
@jsoriano jsoriano mentioned this pull request Jul 1, 2019
Merged
@jsoriano jsoriano added the v7.0.2 label Jul 1, 2019
jsoriano pushed a commit to jsoriano/beats that referenced this pull request Jul 1, 2019
@wixaw @jsoriano
Add support for client addresses with port in Apache error logs (elas…
d36a6ca 
…tic#12695)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit fa8c467)
@jsoriano jsoriano removed the v6.8.2 label Jul 1, 2019
jsoriano added a commit that referenced this pull request Jul 2, 2019
@jsoriano @wixaw
Cherry-pick #12695 to 7.2: Add support for client addresses with port…
70c29a4 
… in Apache error logs (#12729)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit fa8c467)

Co-authored-by: William VINCENT <[email protected]>
jsoriano added a commit that referenced this pull request Jul 2, 2019
@jsoriano @wixaw
Cherry-pick #12695 to 7.1: Add support for client addresses with port…
1794f8f 
… in Apache error logs (#12730)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit fa8c467)

Co-authored-by: William VINCENT <[email protected]>
jsoriano added a commit that referenced this pull request Jul 4, 2019
@jsoriano @wixaw
Cherry-pick #12695 to 7.0: Add support for client addresses with port…
472b05a 
… in Apache error logs (#12731)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit fa8c467)

Co-authored-by: William VINCENT <[email protected]>
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@jsoriano @wixaw
Cherry-pick elastic#12695 to 7.2: Add support for client addresses wi…
c5c6606 
…th port in Apache error logs (elastic#12729)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit b81c58c)

Co-authored-by: William VINCENT <[email protected]>
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@jsoriano @wixaw
Cherry-pick elastic#12695 to 7.1: Add support for client addresses wi…
23e0742 
…th port in Apache error logs (elastic#12730)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit b81c58c)

Co-authored-by: William VINCENT <[email protected]>
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@jsoriano @wixaw
Cherry-pick elastic#12695 to 7.0: Add support for client addresses wi…
8b2ad77 
…th port in Apache error logs (elastic#12731)

Client addresses can contain the port in the default log format,
add support for this.

(cherry picked from commit b81c58c)

Co-authored-by: William VINCENT <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsoriano jsoriano jsoriano approved these changes

Assignees

@jsoriano jsoriano

@wixaw wixaw

Labels
bug Filebeat Filebeat review Team:Integrations Label for the Integrations team v7.0.2 v7.1.2 v7.2.1 v7.3.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wixaw @elasticmachine @jsoriano @andresrc