input { beats { port => 5044 host => "0.0.0.0" } }
filter { if [event][module] != "apache" { drop { } }
if [event][dataset] == "apache.access" {
grok {
match => {
"message" => [
"%{IPORHOST:[source][address]} - %{DATA:[user][name]} \[%{HTTPDATE:[apache][access][time]}\] \"%{WORD:[http][request][method]} %{DATA:[url][original]} HTTP/%{NUMBER:[http][version]}\" %{NUMBER:[http][response][status_code]:long} (?:%{NUMBER:[http][response][body][bytes]:long}|-)( \"%{DATA:[http][request][referrer]}\")?( \"%{DATA:[user_agent][original]}\")?",
"%{IPORHOST:[source][address]} - %{DATA:[user][name]} \[%{HTTPDATE:[apache][access][time]}\] \"-\" %{NUMBER:[http][response][status_code]:long} -",
"\[%{HTTPDATE:[apache][access][time]}\] %{IPORHOST:[source][address]} %{DATA:[apache][access][ssl][protocol]} %{DATA:[apache][access][ssl][cipher]} \"%{WORD:[http][request][method]} %{DATA:[url][original]} HTTP/%{NUMBER:[http][version]}\" %{NUMBER:[http][response][body][bytes]:long}"
]
}
remove_field => "message"
}
if "_grokparsefailure" in [tags] {
drop { }
}
grok {
match => {
"[source][address]" => "^(%{IP:[source][ip]}|%{HOSTNAME:[source][domain]})$"
}
}
mutate {
add_field => { "[event][created]" => "%{@timestamp}" }
}
date {
match => [ "[apache][access][time]", "dd/MMM/yyyy:H:m:s Z" ]
remove_field => "[apache][access][time]"
}
useragent {
source => "[user_agent][original]"
target => "ua_tmp"
add_field => {
"[user_agent][device][name]" => "%{[ua_tmp][device]}"
"[user_agent][os][name]" => "%{[ua_tmp][os_name]}"
}
}
# OS version ECS compatibility
if [ua_tmp][os_major] {
mutate {
add_field => {
"[user_agent][os][version]" => "%{[ua_tmp][os_major]}"
}
}
if [ua_tmp][os_minor] {
mutate {
replace => {
"[user_agent][os][version]" => "%{[user_agent][os][version]}.%{[ua_tmp][os_minor]}"
}
}
if [ua_tmp][os_patch] {
mutate {
replace => {
"[user_agent][os][version]" => "%{[user_agent][os][version]}.%{[ua_tmp][os_patch]}"
}
}
if [ua_tmp][os_build] {
mutate {
replace => {
"[user_agent][os][version]" => "%{[user_agent][os][version]}.%{[ua_tmp][os_build]}"
}
}
}
}
}
mutate {
add_field => {
"[user_agent][os][full]" => "%{[user_agent][os][name]} %{[user_agent][os][version]}"
}
}
}
# User agent version ECS compatibility
if [ua_tmp][major] {
mutate {
add_field => {
"[user_agent][version]" => "%{[ua_tmp][major]}"
}
}
if [ua_tmp][minor] {
mutate {
replace => {
"[user_agent][version]" => "%{[user_agent][version]}.%{[ua_tmp][minor]}"
}
}
if [ua_tmp][patch] {
mutate {
replace => {
"[user_agent][version]" => "%{[user_agent][version]}.%{[ua_tmp][patch]}"
}
}
if [ua_tmp][build] {
mutate {
replace => {
"[user_agent][version]" => "%{[user_agent][version]}.%{[ua_tmp][build]}"
}
}
}
}
}
}
mutate {
remove_field => ["ua_tmp"]
}
geoip {
source => "[source][ip]"
target => "[source][geo]"
}
} else if [event][dataset] == "apache.error" {
grok {
match => {
"message" => [
"\[%{APACHE_TIME:[apache][error][timestamp]}\] \[%{LOGLEVEL:[log][level]}\]( \[client %{IPORHOST:[source][address]}\])? %{GREEDYDATA:[message]}",
"\[%{APACHE_TIME:[apache][error][timestamp]}\] \[%{DATA:[apache][error][module]}:%{LOGLEVEL:[log][level]}\] \[pid %{NUMBER:[process][pid]:long}(:tid %{NUMBER:[process][thread][id]:long})?\]( \[client %{IPORHOST:[source][address]}\])? %{GREEDYDATA:[message]}"
]
}
pattern_definitions => {
"APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
}
}
date {
match => [ "[apache][error][timestamp]", "EEE MMM dd H:m:s yyyy", "EEE MMM dd H:m:s.SSSSSS yyyy" ]
remove_field => "[apache][error][timestamp]"
}
grok {
match => {
"[source][address]" => "^(%{IP:[source][ip]}|%{HOSTNAME:[source][domain]})$"
}
}
geoip {
source => "[source][ip]"
target => "[source][geo]"
}
}
}