Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split address and port in AWS ALB Bucket #14525

Merged
merged 7 commits into from
Sep 13, 2022
Merged

Split address and port in AWS ALB Bucket #14525

merged 7 commits into from
Sep 13, 2022

Conversation

nico-stefani
Copy link
Member

@nico-stefani nico-stefani commented Aug 9, 2022
edited
Loading

Related issue
#13095

Description

This PR closes #13095 . It improves the parse of ALB logs splitting client_port, target_port, target_port_list in separated ip and port for each key.

Manual Test

root@1a356d9cc48c:/var/ossec# /var/ossec/framework/python/bin/python3 /var/ossec/wodles/aws/aws_s3.py -b wazuh-aws-wodle-alb -t alb -s 2021-Dec-21 -p dev -d2
DEBUG: +++ Debug mode on - Level: 2
DEBUG: +++ Table does not exist; create
DEBUG: +++ Working on XXXXXXXXXXXX - us-west-1
DEBUG: +++ Marker: AWSLogs/XXXXXXXXXXXX/elasticloadbalancing/us-west-1/2021/12/21
DEBUG: ++ Found new log: AWSLogs/XXXXXXXXXXXX/elasticloadbalancing/us-west-1/2021/12/21/XXXXXXXXXXXX_elasticloadbalancing_us-west-1_app.ALB-framework-dev.959dfdbaed241613_20211221T0000Z_52.52.208.49_14pczeay.log.gz
DEBUG: ++ Found new log: AWSLogs/XXXXXXXXXXXX/elasticloadbalancing/us-west-1/2021/12/22/XXXXXXXXXXXX_elasticloadbalancing_us-west-1_app.ALB-framework-dev.959dfdbaed241613_20211222T0000Z_52.52.208.49_14pczeay.log.gz
DEBUG: ++ Found new log: AWSLogs/XXXXXXXXXXXX/elasticloadbalancing/us-west-1/2021/12/23/XXXXXXXXXXXX_elasticloadbalancing_us-west-1_app.ALB-framework-dev.959dfdbaed241613_20211223T0000Z_52.52.208.49_14pczeay.log.gz
DEBUG: ++ Found new log: AWSLogs/XXXXXXXXXXXX/elasticloadbalancing/us-west-1/2021/12/23/XXXXXXXXXXXX_elasticloadbalancing_us-west-1_app.ALB-framework-dev.959dfdbaed241613_20211230T0000Z_52.52.208.49_14pczeay.log

The send alert with new fields.

** Alert 1660061728.6208: - amazon,aws,aws_alb,
2022 Aug 09 16:15:28 1a356d9cc48c->Wazuh-AWS
Rule: 80328 (level 5) -> 'AWS ALB: Status error:  - forward - Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com) [ELB: app/ALB-framework-dev/959dfdbaed241613].'
{"integration": "aws", "aws": {"log_info": {"aws_account_alias": "", "log_file": "AWSLogs/XXXXXXXXXXXX/elasticloadbalancing/us-west-1/2021/12/23/XXXXXXXXXXXX-west-1_app.ALB-framework-dev.959dfdbaed241613_20211223T0000Z_52.52.208.49_14pczeay.log.gz", "s3bucket": "wazuh-aws-wodle-alb"}, "type": "http", "time": "2020-11-23T23:57:06.780380Z", "elb": "app/ALB-framework-dev/959dfdbaed241613", "client_port": "51444", "target_port": "80", "request_processing_time": "0.001", "target_processing_time": "0.001", "response_processing_time": "0.000", "elb_status_code": "403", "target_status_code": "403", "received_bytes": "136", "sent_bytes": "5173", "request": "GET http://52.52.208.49:80/ HTTP/1.1", "user_agent": "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)", "ssl_cipher": "-", "ssl_protocol": "-", "target_group_arn": "arn:aws:elasticloadbalancing:us-west-1:XXXXXXXXXXXX:targetgroup/EC2/a7985a8385b86dc0", "trace_id": "Root=1-5fbc4c52-5a3a21203a0b9d20551c0535", "domain_name": "-", "chosen_cert_arn": "-", "matched_rule_priority": "0", "request_creation_time": "2020-11-23T23:57:06.778000Z", "action_executed": "forward", "redirect_url": "-", "error_reason": "-", "target_port_list": "80", "target_status_code_list": "403", "classification": "-", "classification_reason": "-", "source": "alb", "client_ip": "209.17.97.74", "target_ip": "10.0.0.125", "target_ip_list": "10.0.0.125"}}
integration: aws
aws.log_info.log_file: AWSLogs/XXXXXXXXXXXX/elasticloadbalancing/us-west-1/2021/12/23/XXXXXXXXXXXX-west-1_app.ALB-framework-dev.959dfdbaed241613_20211223T0000Z_52.52.208.49_14pczeay.log.gz
aws.log_info.s3bucket: wazuh-aws-wodle-alb
aws.type: http
aws.time: 2020-11-23T23:57:06.780380Z
aws.elb: app/ALB-framework-dev/959dfdbaed241613
aws.client_port: 51444
aws.target_port: 80
aws.request_processing_time: 0.001
aws.target_processing_time: 0.001
aws.response_processing_time: 0.000
aws.elb_status_code: 403
aws.target_status_code: 403
aws.received_bytes: 136
aws.sent_bytes: 5173
aws.request: GET http://52.52.208.49:80/ HTTP/1.1
aws.user_agent: Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)
aws.ssl_cipher: -
aws.ssl_protocol: -
aws.target_group_arn: arn:aws:elasticloadbalancing:us-west-1:XXXXXXXXXXXX:targetgroup/EC2/a7985a8385b86dc0
aws.trace_id: Root=1-5fbc4c52-5a3a21203a0b9d20551c0535
aws.domain_name: -
aws.chosen_cert_arn: -
aws.matched_rule_priority: 0
aws.request_creation_time: 2020-11-23T23:57:06.778000Z
aws.action_executed: forward
aws.redirect_url: -
aws.error_reason: -
aws.target_port_list: 80
aws.target_status_code_list: 403
aws.classification: -
aws.classification_reason: -
aws.source: alb
aws.client_ip: 209.17.97.74
aws.target_ip: 10.0.0.125
aws.target_ip_list: 10.0.0.125

Warning message for malformed log

WARNING: Unable to process correctly malformed ABL log entry: {'type': '2020-11-23T23:57:06.780380Z', 'time': 'app/ALB-framework-dev/959dfdbaed241613', 'elb': '209.17.97.74:51444', 'client_port': '80', 'target_port': '0.001', 'request_processing_time': '0.001', 'target_processing_time': '0.000', 'response_processing_time': '403', 'elb_status_code': '403', 'target_status_code': '136', 'received_bytes': '5173', 'sent_bytes': 'GET http://52.52.208.49:80/ HTTP/1.1', 'request': 'Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)', 'user_agent': '-', 'ssl_cipher': '-', 'ssl_protocol': 'arn:aws:elasticloadbalancing:us-west-1:XXXXXXXXXXXX:targetgroup/EC2/a7985a8385b86dc0', 'target_group_arn': 'Root=1-5fbc4c52-5a3a21203a0b9d20551c0535', 'trace_id': '-', 'domain_name': '-', 'chosen_cert_arn': '0', 'matched_rule_priority': '2020-11-23T23:57:06.778000Z', 'request_creation_time': 'forward', 'action_executed': '-', 'redirect_url': '-', 'error_reason': '10.0.0.125:80', 'target_port_list': '403', 'target_status_code_list': '-', 'classification': '-', 'classification_reason': None, 'source': 'alb', 'client_ip': '10.0.0.125'}.
DEBUG: +++ DB Maintenance

@CarlosRS9 CarlosRS9 self-requested a review August 12, 2022 10:37
CarlosRS9
CarlosRS9 suggested changes Aug 12, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
wodles/aws/aws_s3.py Outdated Show resolved Hide resolved
wodles/aws/aws_s3.py Outdated Show resolved Hide resolved
@nico-stefani nico-stefani self-assigned this Aug 12, 2022
@nico-stefani nico-stefani force-pushed the fix/13095-improve-ALB-logs-parsing branch from 3312bbb to f713b0d Compare August 12, 2022 16:36
@nico-stefani nico-stefani linked an issue Aug 12, 2022 that may be closed by this pull request
Improve ALB access logs parsing in AWS integration #13095
Closed
@nico-stefani nico-stefani force-pushed the fix/13095-improve-ALB-logs-parsing branch 2 times, most recently from 2323356 to d6b6fac Compare August 22, 2022 13:07
@nico-stefani nico-stefani force-pushed the fix/13095-improve-ALB-logs-parsing branch from 1bc43ed to b01f96e Compare September 8, 2022 15:06
davidjiglesias
davidjiglesias approved these changes Sep 13, 2022
View reviewed changes
wodles/aws/aws_s3.py Outdated Show resolved Hide resolved
wodles/aws/aws_s3.py Outdated Show resolved Hide resolved
@nico-stefani
Split address and port for client_port, target_port and target_port_l…
2cbff56 
…ist keys

Signed-off-by: Nicolas Stefani <nicolas.stefi@wazuh.com>
@nico-stefani
Add changelog
12d1429 
Signed-off-by: Nicolas Stefani <nicolas.stefi@wazuh.com>
@nico-stefani
Revert "Add changelog"
65590b9 
This reverts commit 3312bbb.

Signed-off-by: Nicolas Stefani <nicolas.stefi@wazuh.com>
@nico-stefani
Improve debug messages
6271775 
Signed-off-by: Nicolas Stefani <nicolas.stefi@wazuh.com>
@nico-stefani
Handle case when target_port_list is a list
b274e20 
Signed-off-by: Nicolas Stefani <nicolas.stefi@wazuh.com>
@nico-stefani
Improve list handling
b873be6 
Signed-off-by: Nicolas Stefani <nicolas.stefi@wazuh.com>
@nico-stefani
Fix list iteration
02f6619 
Signed-off-by: Nicolas Stefani <nicolas.stefi@wazuh.com>
@nico-stefani nico-stefani force-pushed the fix/13095-improve-ALB-logs-parsing branch from 15afcc0 to 02f6619 Compare September 13, 2022 14:22
@davidjiglesias davidjiglesias merged commit 624ffeb into 4.4 Sep 13, 2022
@davidjiglesias davidjiglesias deleted the fix/13095-improve-ALB-logs-parsing branch September 13, 2022 15:40
@rh0dy rh0dy mentioned this pull request Dec 2, 2022
Merged
@davidjiglesias davidjiglesias mentioned this pull request Feb 14, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidjiglesias davidjiglesias davidjiglesias approved these changes

@CarlosRS9 CarlosRS9 CarlosRS9 approved these changes

Assignees

@nico-stefani nico-stefani

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve ALB access logs parsing in AWS integration
3 participants
@nico-stefani @davidjiglesias @CarlosRS9