Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve ALB access logs parsing in AWS integration #13095

Closed
elwali10 opened this issue Apr 11, 2022 · 2 comments · Fixed by #14525
Closed

Improve ALB access logs parsing in AWS integration #13095

elwali10 opened this issue Apr 11, 2022 · 2 comments · Fixed by #14525
Assignees
@nico-stefani
Labels
impact/high module/aws module/cloud monitoring Monitoring external services (AWS, Azure, GCP, O365...) module/framework reporter/operations type/enhancement New feature or request

Comments

@elwali10
Copy link
Member

elwali10 commented Apr 11, 2022
edited by MiguelCasaresRobles

Wazuh version Component
4.x AWS Module

AWS module includes ALB access logs, but the current parsing mechanism is not extracting IP addresses and ports into separated fields.

According to the ALB documentation, the fields are following this syntax client:port, target:port_list and target:port. We can split this into the following fields:

  • Client_IP
  • Client_port
  • Target_IP
  • Target_port
  • Target_IP_list
  • Target_port_list

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#error-reason-codes

Currently, the parsing is performed as below:

image

Regards,
Elwali
@CarlosRS9 CarlosRS9 added module/cloud monitoring Monitoring external services (AWS, Azure, GCP, O365...) team/framework/modules labels Jul 8, 2022
@CarlosRS9 CarlosRS9 added type/enhancement New feature or request and removed type/bug Something isn't working labels Jul 18, 2022
@MiguelCasaresRobles MiguelCasaresRobles changed the title AWS ALB integration IP & port log parssing Split IPaddress and port field in two different fields for AWS ALB integration Jul 18, 2022
@MiguelCasaresRobles MiguelCasaresRobles changed the title Split IPaddress and port field in two different fields for AWS ALB integration Improve ALB access logs parsing in AWS integration Jul 18, 2022
@nico-stefani nico-stefani self-assigned this Aug 8, 2022
@nico-stefani nico-stefani mentioned this issue Aug 9, 2022
Merged
@nico-stefani nico-stefani linked a pull request Aug 12, 2022 that will close this issue
Split address and port in AWS ALB Bucket #14525
Merged
@nico-stefani
Copy link
Member

Issue Update

With the introduced changes, now we have different fields for ip and port.

image

image

@vikman90 vikman90 added this to the Release 4.4.0 milestone Aug 29, 2022
@nico-stefani
Copy link
Member

Issue Update

With the latest changes we are able to process all cases with more simple code.

image

image

@rh0dy rh0dy mentioned this issue Dec 2, 2022
Merged
@davidjiglesias davidjiglesias mentioned this issue Feb 14, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nico-stefani nico-stefani

Labels
impact/high module/aws module/cloud monitoring Monitoring external services (AWS, Azure, GCP, O365...) module/framework reporter/operations type/enhancement New feature or request
Projects
No open projects
Release 4.4.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Split address and port in AWS ALB Bucket wazuh/wazuh
6 participants
@nico-stefani @vikman90 @elwali10 @MiguelCasaresRobles @davidjiglesias @CarlosRS9