Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for IIS package #138

Merged
merged 19 commits into from
Jul 9, 2020
Merged

Add support for IIS package #138

merged 19 commits into from
Jul 9, 2020

Conversation

narph
Copy link
Contributor

@narph narph commented Jun 30, 2020
edited
Loading

Import the IIS package

IIS error logs:

{
        "_index" : ".ds-logs-iis.error-default-000001",
        "_id" : "DPvJ43IB_yPpbIdgP2Rz",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "name" : "DESKTOP-RFOOE09",
            "id" : "db17f9fb-5bcb-4116-a009-79a1bb7d4820",
            "type" : "filebeat",
            "ephemeral_id" : "3f65b650-b6a3-4694-83b3-0c324a60809d",
            "version" : "8.0.0"
          },
          "log" : {
            "file" : {
              "path" : """c:\Windows\System32\LogFiles\HTTPERR\httperr1.log"""
            },
            "offset" : 199
          },
          "destination" : {
            "address" : "::1%0",
            "port" : 80,
            "ip" : "::1"
          },
          "source" : {
            "address" : "::1%0",
            "port" : 59827,
            "ip" : "::1"
          },
          "input" : {
            "type" : "log"
          },
          "iis" : {
            "error" : {
              "reason_phrase" : "Timer_ConnectionIdle"
            }
          },
          "@timestamp" : "2020-06-30T13:56:46.000Z",
          "ecs" : {
            "version" : "1.5.0"
          },
          "related" : {
            "ip" : [
              "::1",
              "::1"
            ]
          },
          "host" : {
            "hostname" : "DESKTOP-RFOOE09",
            "os" : {
              "build" : "18363.900",
              "kernel" : "10.0.18362.900 (WinBuild.160101.0800)",
              "name" : "Windows 10 Pro",
              "family" : "windows",
              "version" : "10.0",
              "platform" : "windows"
            },
            "ip" : [
              "fe80::31c1:8a71:5a2b:8b51",
              "169.254.139.81",
              "fe80::5d83:4428:eb69:6d47",
              "169.254.109.71",
              "fe80::d88d:d3cb:7338:7680",
              "192.168.21.104",
              "fe80::adc8:e8:c7c3:3f56",
              "169.254.63.86",
              "fe80::f157:f94b:8459:833",
              "192.168.121.33"
            ],
            "name" : "DESKTOP-RFOOE09",
            "id" : "1e50b6e1-9710-4164-a8f0-032b3c721dc3",
            "mac" : [
              "9e:b6:d0:de:97:a9",
              "ae:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:aa",
              "00:15:5d:77:d0:cd"
            ],
            "architecture" : "x86_64"
          },
          "event" : {
            "created" : "2020-07-08T11:40:13.768Z",
            "kind" : "event",
            "category" : [
              "web",
              "network"
            ],
            "type" : [
              "connection"
            ]
          },
          "dataset" : {
            "name" : "iis.error",
            "namespace" : "default",
            "type" : "logs"
          }
        }
      },

IIS access logs:

  {
        "_index" : ".ds-logs-iis.access-default-000001",
        "_id" : "IfvJ43IB_yPpbIdgP2Rz",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "name" : "DESKTOP-RFOOE09",
            "id" : "db17f9fb-5bcb-4116-a009-79a1bb7d4820",
            "type" : "filebeat",
            "ephemeral_id" : "3f65b650-b6a3-4694-83b3-0c324a60809d",
            "version" : "8.0.0"
          },
          "temp" : { },
          "log" : {
            "file" : {
              "path" : """C:\inetpub\logs\LogFiles\W3SVC2\u_ex181119.log"""
            },
            "offset" : 261
          },
          "destination" : {
            "address" : "127.0.0.1",
            "port" : 80,
            "ip" : "127.0.0.1"
          },
          "source" : {
            "address" : "127.0.0.1",
            "ip" : "127.0.0.1"
          },
          "url" : {
            "path" : "/"
          },
          "input" : {
            "type" : "log"
          },
          "iis" : {
            "access" : {
              "sub_status" : 3,
              "win32_status" : 5
            }
          },
          "@timestamp" : "2018-11-19T15:24:54.000Z",
          "ecs" : {
            "version" : "1.5.0"
          },
          "related" : {
            "ip" : [
              "127.0.0.1",
              "127.0.0.1"
            ]
          },
          "host" : {
            "hostname" : "DESKTOP-RFOOE09",
            "os" : {
              "build" : "18363.900",
              "kernel" : "10.0.18362.900 (WinBuild.160101.0800)",
              "name" : "Windows 10 Pro",
              "family" : "windows",
              "version" : "10.0",
              "platform" : "windows"
            },
            "ip" : [
              "fe80::31c1:8a71:5a2b:8b51",
              "169.254.139.81",
              "fe80::5d83:4428:eb69:6d47",
              "169.254.109.71",
              "fe80::d88d:d3cb:7338:7680",
              "192.168.21.104",
              "fe80::adc8:e8:c7c3:3f56",
              "169.254.63.86",
              "fe80::f157:f94b:8459:833",
              "192.168.121.33"
            ],
            "name" : "DESKTOP-RFOOE09",
            "id" : "1e50b6e1-9710-4164-a8f0-032b3c721dc3",
            "mac" : [
              "9e:b6:d0:de:97:a9",
              "ae:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:aa",
              "00:15:5d:77:d0:cd"
            ],
            "architecture" : "x86_64"
          },
          "http" : {
            "request" : {
              "method" : "GET"
            },
            "response" : {
              "status_code" : 401
            }
          },
          "event" : {
            "duration" : 725000000,
            "created" : "2020-07-08T11:40:14.112Z",
            "kind" : "event",
            "category" : [
              "web",
              "network"
            ],
            "type" : [
              "connection"
            ],
            "outcome" : "failure"
          },
          "dataset" : {
            "name" : "iis.access",
            "namespace" : "default",
            "type" : "logs"
          },
          "user_agent" : {
            "original" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
            "os" : {
              "name" : "Windows",
              "version" : "10",
              "full" : "Windows 10"
            },
            "name" : "Chrome",
            "device" : {
              "name" : "Other"
            },
            "version" : "70.0.3538.102"
          }
        }
      },

IIS application pool metrics:

 {
        "_index" : ".ds-metrics-iis.application_pool-default-000001",
        "_id" : "rfvK43IB_yPpbIdgaZRb",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2020-07-08T11:41:31.048Z",
          "process" : {
            "pid" : 51224
          },
          "event" : {
            "dataset" : "iis.application_pool",
            "module" : "iis",
            "duration" : 397142600
          },
          "host" : {
            "hostname" : "DESKTOP-RFOOE09",
            "architecture" : "x86_64",
            "os" : {
              "kernel" : "10.0.18362.900 (WinBuild.160101.0800)",
              "build" : "18363.900",
              "platform" : "windows",
              "version" : "10.0",
              "family" : "windows",
              "name" : "Windows 10 Pro"
            },
            "id" : "1e50b6e1-9710-4164-a8f0-032b3c721dc3",
            "ip" : [
              "fe80::31c1:8a71:5a2b:8b51",
              "169.254.139.81",
              "fe80::5d83:4428:eb69:6d47",
              "169.254.109.71",
              "fe80::d88d:d3cb:7338:7680",
              "192.168.21.104",
              "fe80::adc8:e8:c7c3:3f56",
              "169.254.63.86",
              "fe80::f157:f94b:8459:833",
              "192.168.121.33"
            ],
            "name" : "DESKTOP-RFOOE09",
            "mac" : [
              "9e:b6:d0:de:97:a9",
              "ae:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:aa",
              "00:15:5d:77:d0:cd"
            ]
          },
          "agent" : {
            "name" : "DESKTOP-RFOOE09",
            "type" : "metricbeat",
            "version" : "8.0.0",
            "ephemeral_id" : "8ade3582-e6ab-4664-ba27-52b3d46953e3",
            "id" : "3b73ebb6-c6ea-4354-b1f3-240ac1aa072c"
          },
          "service" : {
            "type" : "iis"
          },
          "iis" : {
            "application_pool" : {
              "name" : "DefaultAppPool",
              "net_clr" : {
                "total_exceptions_thrown" : 0
              },
              "process" : {
                "thread_count" : 30,
                "handle_count" : 466,
                "private_bytes" : 7.151616E7
              }
            }
          },
          "ecs" : {
            "version" : "1.5.0"
          },
          "metricset" : {
            "period" : 10000,
            "name" : "application_pool"
          },
          "dataset" : {
            "namespace" : "default",
            "type" : "metrics",
            "name" : "iis.application_pool"
          }
        }
      },

IIS website metrics

{
        "_index" : ".ds-metrics-iis.website-default-000001",
        "_id" : "W_vJ43IB_yPpbIdgYmoX",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2020-07-08T11:40:22.114Z",
          "ecs" : {
            "version" : "1.5.0"
          },
          "host" : {
            "name" : "DESKTOP-RFOOE09",
            "hostname" : "DESKTOP-RFOOE09",
            "architecture" : "x86_64",
            "os" : {
              "kernel" : "10.0.18362.900 (WinBuild.160101.0800)",
              "build" : "18363.900",
              "platform" : "windows",
              "version" : "10.0",
              "family" : "windows",
              "name" : "Windows 10 Pro"
            },
            "id" : "1e50b6e1-9710-4164-a8f0-032b3c721dc3",
            "ip" : [
              "fe80::31c1:8a71:5a2b:8b51",
              "169.254.139.81",
              "fe80::5d83:4428:eb69:6d47",
              "169.254.109.71",
              "fe80::d88d:d3cb:7338:7680",
              "192.168.21.104",
              "fe80::adc8:e8:c7c3:3f56",
              "169.254.63.86",
              "fe80::f157:f94b:8459:833",
              "192.168.121.33"
            ],
            "mac" : [
              "9e:b6:d0:de:97:a9",
              "ae:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:aa",
              "00:15:5d:77:d0:cd"
            ]
          },
          "iis" : {
            "website" : {
              "name" : "test2.local",
              "network" : {
                "total_put_requests" : 0,
                "total_get_requests" : 11,
                "service_uptime" : 1721807.0,
                "total_bytes_sent" : 135739,
                "maximum_connections" : 4,
                "total_connection_attempts" : 7,
                "total_post_requests" : 0,
                "total_bytes_received" : 4250,
                "current_connections" : 0,
                "total_delete_requests" : 0
              }
            }
          },
          "event" : {
            "dataset" : "iis.website",
            "module" : "iis",
            "duration" : 5008200
          },
          "metricset" : {
            "name" : "website",
            "period" : 10000
          },
          "service" : {
            "type" : "iis"
          },
          "dataset" : {
            "name" : "iis.website",
            "namespace" : "default",
            "type" : "metrics"
          },
          "agent" : {
            "type" : "metricbeat",
            "version" : "8.0.0",
            "ephemeral_id" : "8ade3582-e6ab-4664-ba27-52b3d46953e3",
            "id" : "3b73ebb6-c6ea-4354-b1f3-240ac1aa072c",
            "name" : "DESKTOP-RFOOE09"
          }
        }
      },

IIS webserver metrics

{
        "_index" : ".ds-metrics-iis.webserver-default-000001",
        "_id" : "ofvK43IB_yPpbIdg9535",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2020-07-08T11:42:12.102Z",
          "service" : {
            "type" : "iis"
          },
          "dataset" : {
            "type" : "metrics",
            "name" : "iis.webserver",
            "namespace" : "default"
          },
          "ecs" : {
            "version" : "1.5.0"
          },
          "host" : {
            "mac" : [
              "9e:b6:d0:de:97:a9",
              "ae:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:a9",
              "9c:b6:d0:de:97:aa",
              "00:15:5d:77:d0:cd"
            ],
            "hostname" : "DESKTOP-RFOOE09",
            "architecture" : "x86_64",
            "name" : "DESKTOP-RFOOE09",
            "os" : {
              "kernel" : "10.0.18362.900 (WinBuild.160101.0800)",
              "build" : "18363.900",
              "platform" : "windows",
              "version" : "10.0",
              "family" : "windows",
              "name" : "Windows 10 Pro"
            },
            "id" : "1e50b6e1-9710-4164-a8f0-032b3c721dc3",
            "ip" : [
              "fe80::31c1:8a71:5a2b:8b51",
              "169.254.139.81",
              "fe80::5d83:4428:eb69:6d47",
              "169.254.109.71",
              "fe80::d88d:d3cb:7338:7680",
              "192.168.21.104",
              "fe80::adc8:e8:c7c3:3f56",
              "169.254.63.86",
              "fe80::f157:f94b:8459:833",
              "192.168.121.33"
            ]
          },
          "agent" : {
            "name" : "DESKTOP-RFOOE09",
            "type" : "metricbeat",
            "version" : "8.0.0",
            "ephemeral_id" : "8ade3582-e6ab-4664-ba27-52b3d46953e3",
            "id" : "3b73ebb6-c6ea-4354-b1f3-240ac1aa072c"
          },
          "iis" : {
            "webserver" : {
              "asp_net" : {
                "application_restarts" : 0,
                "request_wait_time" : 0
              },
              "asp_net_application" : {
                "requests_in_application_queue" : 0,
                "pipeline_instance_count" : 2,
                "requests/sec" : 0,
                "requests_executing" : 0,
                "errors_total/sec" : 0
              },
              "network" : {
                "total_get_requests" : 52,
                "total_anonymous_users" : 52,
                "current_connections" : 2,
                "anonymous_users_per_sec" : 0,
                "service_uptime" : 1721919.0,
                "total_post_requests" : 0,
                "total_non_anonymous_users" : 0,
                "bytes_received_per_sec" : 0,
                "total_delete_requests" : 0,
                "current_non_anonymous_users" : 0,
                "bytes_sent_per_sec" : 0,
                "total_bytes_received" : 33151,
                "current_anonymous_users" : 0,
                "post_requests_per_sec" : 0,
                "total_connection_attempts" : 23,
                "delete_requests_per_sec" : 0,
                "get_requests_per_sec" : 0,
                "maximum_connections" : 6,
                "total_bytes_sent" : 903338
              },
              "process" : {
                "io_write_operations_per_sec" : 5.7271735422265,
                "worker_process_count" : 2,
                "private_bytes" : 1.06692608E8,
                "page_faults_per_sec" : 1.0738450391674688,
                "virtual_bytes" : 2.222663852032E12,
                "io_read_operations_per_sec" : 5.7271735422265
              },
              "cache" : {
                "current_files_cached" : 2,
                "file_cache_misses" : 70,
                "total_files_cached" : 15,
                "output_cache_current_memory_usage" : 0,
                "file_cache_hits" : 18,
                "uri_cache_hits" : 14,
                "output_cache_total_hits" : 0,
                "output_cache_current_items" : 0,
                "current_file_cache_memory_usage" : 696,
                "current_uris_cached" : 1,
                "uri_cache_misses" : 62,
                "maximum_file_cache_memory_usage" : 99453,
                "output_cache_total_misses" : 76,
                "total_uris_cached" : 10
              }
            }
          },
          "event" : {
            "dataset" : "iis.webserver",
            "module" : "iis",
            "duration" : 1205854900
          },
          "metricset" : {
            "period" : 10000,
            "name" : "webserver"
          }
        }
      },

Dashboards look good

image

image

image

image

@narph narph self-assigned this Jun 30, 2020
@narph narph added the Team:Integrations Label for the Integrations team label Jun 30, 2020
@elasticmachine
Copy link

elasticmachine commented Jun 30, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #138 updated]

  • Start Time: 2020-07-09T15:07:08.467+0000

  • Duration: 3 min 45 sec

@narph narph mentioned this pull request Jun 30, 2020
Closed
mtojek
mtojek reviewed Jul 2, 2020
View reviewed changes
packages/iis/dataset/access/manifest.yml Outdated Show resolved Hide resolved
packages/iis/dataset/error/manifest.yml Outdated Show resolved Hide resolved
packages/iis/manifest.yml Outdated Show resolved Hide resolved
@narph narph marked this pull request as ready for review July 8, 2020 11:58
@elasticmachine
Copy link

Pinging @elastic/integrations (Team:Integrations)

@narph narph requested a review from mtojek July 8, 2020 11:58
ChrsMark
ChrsMark reviewed Jul 9, 2020
View reviewed changes
Copy link
Member

@ChrsMark ChrsMark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments.
Also could you please post a screenshot with integration's configuration form in Kibana?

dev/import-beats-resources/iis/docs/README.md Show resolved Hide resolved
packages/iis/dataset/access/manifest.yml Outdated Show resolved Hide resolved
packages/iis/manifest.yml Outdated Show resolved Hide resolved
packages/iis/manifest.yml Outdated Show resolved Hide resolved
packages/iis/manifest.yml Outdated Show resolved Hide resolved
packages/iis/manifest.yml Outdated
type: image/svg+xml
format_version: 1.0.0
license: basic
categories: []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe to add some categories here from https://github.com/elastic/package-registry/blob/e93e801a6dfbfa6f83c8b69f6e9405603151f937/util/package.go#L27-L51?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will come in a different PR

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's fine! just out of curiosity is there any particular reason for this? is anything missing from the list of categories?

packages/iis/dataset/webserver/manifest.yml Outdated Show resolved Hide resolved
packages/iis/dataset/webserver/manifest.yml Outdated
required: true
show_user: true
default: 10s
title: IIS webserver metrics
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

packages/iis/dataset/webserver/manifest.yml Outdated Show resolved Hide resolved
packages/iis/dataset/website/manifest.yml Outdated Show resolved Hide resolved
@narph narph requested a review from ChrsMark July 9, 2020 14:40
ChrsMark
ChrsMark reviewed Jul 9, 2020
View reviewed changes
packages/iis/manifest.yml Outdated
size: 1960x2820
type: image/png
- src: /img/metricbeat-iis-application-pool-overview.png
title: Metricbeat IIS Application Pool overview
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Metricbeat IIS Application Pool overview
title: Metricbeat IIS Application Pool Overview

packages/iis/manifest.yml Outdated
size: 3785x1986
type: image/png
- src: /img/metricbeat-iis-webserver-overview.png
title: Metricbeat IIS Webserver overview
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Metricbeat IIS Webserver overview
title: Metricbeat IIS Webserver Overview

packages/iis/manifest.yml Outdated
size: 3137x1366
type: image/png
- src: /img/metricbeat-iis-webserver-process.png
title: Metricbeat IIS Webserver process
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Metricbeat IIS Webserver process
title: Metricbeat IIS Webserver Process

packages/iis/manifest.yml Outdated
size: 3108x1629
type: image/png
- src: /img/metricbeat-iis-website-overview.png
title: Metricbeat IIS Website overview
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Metricbeat IIS Website overview
title: Metricbeat IIS Website Overview

packages/iis/manifest.yml Outdated
type: image/svg+xml
format_version: 1.0.0
license: basic
categories: []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's fine! just out of curiosity is there any particular reason for this? is anything missing from the list of categories?

packages/iis/docs/README.md Outdated Show resolved Hide resolved
dev/import-beats-resources/iis/docs/README.md Outdated Show resolved Hide resolved
@narph narph requested a review from ChrsMark July 9, 2020 15:10
ChrsMark
ChrsMark approved these changes Jul 9, 2020
View reviewed changes
Copy link
Member

@ChrsMark ChrsMark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@narph narph merged commit c4f6ee1 into elastic:master Jul 9, 2020
@narph narph deleted the import-iis branch July 9, 2020 15:14
eyalkraft pushed a commit to build-security/integrations that referenced this pull request Mar 30, 2022
@narph
Add support for IIS package (elastic#138)
9621d28 
* temp

* temp

* manifest

* work on iis

* remove local chnages

* test

* fix

* update

* update

* work on review

* update docs

* review

* update

* camelcase
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChrsMark ChrsMark ChrsMark approved these changes

@mtojek mtojek Awaiting requested review from mtojek

Assignees

@narph narph

Labels
Integration:iis IIS New Integration Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@narph @elasticmachine @ChrsMark @mtojek @andrewkroh