Merge remote-tracking branch 'upstream/master' into feature-modularize

Lucas Bremgartner · Lucas Bremgartner · commit 2ca328ee1fd2 · 2015-11-25T15:51:16.000+01:00
Conflicts:
	logstash-modsecurity.conf
diff --git a/1010_input_file_example.conf b/1010_input_file_example.conf
@@ -1,9 +1,7 @@
 input {
-
   file {
     # IMPORTANT! set this correctly to the charset
     # that your server writes these log files in
-    charset => "US-ASCII"
     path => "/path/to/your/modsec/audit/logs/*.log"
     type => "mod_security"
 
@@ -13,10 +11,10 @@ input {
     # which is the end of each modsec logical event in the logfile
     #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     codec => multiline {
+      charset => "US-ASCII"
       pattern => "^--[a-fA-F0-9]{8}-Z--$"
       negate => true
       what => previous
     }
   }
-
 }
diff --git a/2020_filter_section_b_parse_request_line.conf b/2020_filter_section_b_parse_request_line.conf
@@ -7,23 +7,12 @@ filter {
     #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
     # if a legit line... normal http request
-    if [rawSectionB] =~ /.*?\s\S+\s.+\n{1}/ {
-
-      grok {
-        match => {
-          "rawSectionB" => "%{DATA:httpMethod}\s(?<requestedUri>\S+)\s(?<incomingProtocol>.+?)\n{1}"
-        }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
-      }
-
-    # not a legit line.. invalid http request, grab first line and dump in the httpMethod
-    } else {
-
+    if [rawSectionB] =~ /.+/ {
       grok {
         match => {
-          "rawSectionB" => "(?<httpMethod>^(.*)$)"
+          "rawSectionB" => [  "(?m)^%{DATA:httpMethod}\s(?<requestedUri>\S+)\s(?<incomingProtocol>[^\n]+)(?:\n(?<raw_requestHeaders>.+)?)?$",
+                              "(?<httpMethod>^(.*)$)" ]
         }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
       }
     }
   }
diff --git a/2021_filter_section_b_headers_key-value.conf b/2021_filter_section_b_headers_key-value.conf
diff --git a/2021_filter_section_b_parse_headers.conf b/2021_filter_section_b_parse_headers.conf
diff --git a/2029_filter_section_b_example_header_Cookie.conf b/2029_filter_section_b_example_header_Cookie.conf
@@ -12,7 +12,6 @@ filter {
         match => {
           "raw_requestHeaders" => "(?<myCookie>myCookie[^; \s]+)"
         }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
       }
     }
   }
diff --git a/2029_filter_section_b_example_header_X-Forwarded-For.conf b/2029_filter_section_b_example_header_X-Forwarded-For.conf
@@ -16,7 +16,6 @@ filter {
         match => {
           "raw_requestHeaders" => "X-Forwarded-For: %{IPORHOST:XForwardedFor}"
         }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
       }
     }
   }
diff --git a/2029_filter_section_b_example_splitt_all_cockies.conf b/2029_filter_section_b_example_splitt_all_cockies.conf
@@ -0,0 +1,18 @@
+filter {
+  if [type] == "mod_security" {
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # Example of splitting all Cookies from the requestHeader Cookie
+    # and promoting it to a first class field
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+      if [requestHeaders][Cookie] =~ /.+/ {
+          kv {
+              source => "[requestHeaders][Cookie]"
+              field_split => "; "
+              value_split => "="
+              target => "requestCookies"
+          }
+      }
+    }
+  }
+}
diff --git a/2030_filter_section_c_parse.conf b/2030_filter_section_c_parse.conf
@@ -10,8 +10,7 @@ filter {
       grok {
         match => {
           "rawSectionC" => "(?<requestBody>.+)"
-         }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
+        }
       }
     }
   }
diff --git a/2060_filter_section_f_parse_request_line.conf b/2060_filter_section_f_parse_request_line.conf
@@ -5,24 +5,12 @@ filter {
     # Parse out server protocol/HTTP status from Section F (response related, line 1)
     #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-     # response section (NO headers)
-    if [rawSectionF] =~ /(.+?)\s(.+?)$/ {
-      grok {
-        singles => true
-        match => {
-          "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+?)$"
-        }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
-      }
+    if [rawSectionF] =~ /.+/ {
 
-    # response section (WITH headers)
-    } else if [rawSectionF] =~ /(.+?)\s(.+?)\n{1}/ {
       grok {
-        singles => true
         match => {
-          "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+?)\n{1}"
+          "rawSectionF" => "(?m)^(?<serverProtocol>.+?)\s(?<responseStatus>[^\n]+)(\n(?<raw_responseHeaders>.+)?)?$"
         }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
       }
     }
   }
diff --git a/2061_filter_section_f_parse_headers.conf b/2061_filter_section_f_parse_headers.conf
@@ -12,7 +12,6 @@ filter {
         match => {
           "rawSectionF" => ".+?\n(?m)(?<raw_responseHeaders>.+)"
         }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
       }
     }
   }
diff --git a/2080_filter_section_h_parse_messages_to_auditLogTrailerMessages.conf b/2080_filter_section_h_parse_messages_to_auditLogTrailerMessages.conf
@@ -7,7 +7,7 @@ filter {
     # called "auditLogTrailerMessages"
     #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-    if [rawSectionH] =~ /Message:/ {
+    if [rawSectionH] =~ /.+/ {
 
       # build the auditlog trailer messages
       ruby {
diff --git a/2082_filter_section_h_extract_stopwatch.conf b/2082_filter_section_h_extract_stopwatch.conf
@@ -11,47 +11,43 @@ filter {
     # also retain the milliseconds and seconds fields
     #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-    if [rawSectionH] =~ /Stopwatch/ {
-
-      grok {
-        match => {
-          "rawSectionH" => "Stopwatch: %{WORD:event_date_microseconds}"
-        }
-        patterns_dir => "./patterns/logstash_modsecurity_patterns"
+    grok {
+      match => {
+        "rawSectionH" => "Stopwatch: %{WORD:event_date_microseconds}"
       }
+    }
 
-      mutate {
-        convert => [ "event_date_microseconds", "float" ]
-      }
+    mutate {
+      convert => [ "event_date_microseconds", "float" ]
+    }
 
-      # micro -> milli
-      ruby {
-        code => "
-            event_date_milliseconds = (event.to_hash['event_date_microseconds'] / 1000.0)
-            event.to_hash.merge!('event_date_milliseconds' => event_date_milliseconds)
-          "
-      }
+    # micro -> milli
+    ruby {
+      code => "
+          event_date_milliseconds = (event.to_hash['event_date_microseconds'] / 1000.0)
+          event.to_hash.merge!('event_date_milliseconds' => event_date_milliseconds)
+        "
+    }
 
-      # milli -> seconds
-      ruby {
-        code => "
-            event_date_seconds = (event.to_hash['event_date_milliseconds'] / 1000.0)
-            event.to_hash.merge!('event_date_seconds' => event_date_seconds)
-          "
-      }
+    # milli -> seconds
+    ruby {
+      code => "
+          event_date_seconds = (event.to_hash['event_date_milliseconds'] / 1000.0)
+          event.to_hash.merge!('event_date_seconds' => event_date_seconds)
+        "
+    }
 
-      # NOTE!, this forces the event's @timestamp to be = to the stopwatch value
-      date {
-        match => [ "event_date_seconds", "UNIX" ]
-        timezone => "GMT"
-      }
+    # NOTE!, this forces the event's @timestamp to be = to the stopwatch value
+    date {
+      match => [ "event_date_seconds", "UNIX" ]
+      timezone => "GMT"
+    }
 
-      # a second copy of a iso8601 date
-      ruby {
-        code => "
-            event.to_hash.merge!('event_timestamp' => (Time.at(event.to_hash['event_date_seconds']).gmtime).iso8601(3))
-          "
-      }
+    # a second copy of a iso8601 date
+    ruby {
+      code => "
+          event.to_hash.merge!('event_timestamp' => (Time.at(event.to_hash['event_date_seconds']).gmtime).iso8601(3))
+        "
     }
   }
 }
diff --git a/2089_filter_section_h_example_geoip.conf b/2089_filter_section_h_example_geoip.conf
@@ -11,6 +11,11 @@ filter {
       target => "XForwardedFor-GEOIP"
     }
 
+    geoip {
+      source => "sourceIP"
+      target => "sourceIP-GEOIP"
+    }
+
     # Optional, if not fixed: massage values to UTF-8... hack  @see https://logstash.jira.com/browse/LOGSTASH-1372
     # convert Strings to UTF-8, leave as-is otherwise
     #ruby {
diff --git a/2089_filter_section_h_example_severities.conf b/2089_filter_section_h_example_severities.conf
@@ -5,7 +5,7 @@ filter {
   # and store them in a top-level "modsecSeverities" array
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-  if [rawSectionH] =~ /Message:/ {
+  if [rawSectionH] =~ /.+/ {
 
     # extract distinct severities from the messages built in 2080_filter_section_h_parse_messages_to_auditLogTrailerMessages.conf
     ruby {
diff --git a/3000_output_stdout_example.conf b/3000_output_stdout_example.conf
@@ -3,6 +3,6 @@ output {
   # turn this off when ready to run in a 
   # real prod environment and get rid of the 
   # "-v" flag when starting logstash
-  stdout { }
+  stdout { codec => rubydebug }
   
 }
diff --git a/README.md b/README.md
@@ -7,7 +7,9 @@ Modsecurity audit log ingestor configuration for Logstash
 
 [Version 1.0](https://github.com/bitsofinfo/logstash-modsecurity/releases/tag/1.0): Works with Logstash 1.3.3 and 1.4.1+ (NOT 1.5.x)
 
-MASTER/TRUNK: In-progress, works with Logstash 1.3.3, 1.4.1+ and 1.5.x 
+[Version 1.1](https://github.com/bitsofinfo/logstash-modsecurity/releases/tag/1.1): Minor fixes for 1.5.x. Works with Logstash 1.3.3, 1.4.1+, 1.5.x+
+
+MASTER/TRUNK: In-progress, should work with Logstash 1.3.3, 1.4.1+ and 1.5.x+
 
 ### Overview 
 

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@ filter {`
`12`	`12`	`match => {`
`13`	`13`	`"raw_requestHeaders" => "(?<myCookie>myCookie[^; \s]+)"`
`14`	`14`	`}`
`15`		`- patterns_dir => "./patterns/logstash_modsecurity_patterns"`
`16`	`15`	`}`
`17`	`16`	`}`
`18`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,6 @@ filter {`
`16`	`16`	`match => {`
`17`	`17`	`"raw_requestHeaders" => "X-Forwarded-For: %{IPORHOST:XForwardedFor}"`
`18`	`18`	`}`
`19`		`- patterns_dir => "./patterns/logstash_modsecurity_patterns"`
`20`	`19`	`}`
`21`	`20`	`}`
`22`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,7 @@ filter {`
`10`	`10`	`grok {`
`11`	`11`	`match => {`
`12`	`12`	`"rawSectionC" => "(?<requestBody>.+)"`
`13`		`- }`
`14`		`- patterns_dir => "./patterns/logstash_modsecurity_patterns"`
	`13`	`+ }`
`15`	`14`	`}`
`16`	`15`	`}`
`17`	`16`	`}`