client-ip HTTP header
Chris V
We are able to see it with CAPME, when drilling into details with squert. CAPME is able to read the headers in the pcap file so that works perfect. We just cannot see it with logstash.
For example: we would like to see a "client-ip" field in this log with the originating IP. The field "ip-client" is inserted into the HTTP. This is similar to XFF field. At this point it seems to be a logstash custom field that needs to be inserted into the config. Anyone deal with this before?
@timestamp June 22nd 2018, 08:51:13.705
t @version 1
t _id HisxKGQBJ8TfUiWrV77S
t _index sosensor-la01p:logstash-bro-2018.06.22
# _score -
t _type doc
t connection_state S0
t connection_state_description Connection attempt seen, no reply
t destination_geo.city_name Los Angeles
t destination_geo.continent_code NA
t destination_geo.country_code2 US
t destination_geo.country_code3 US
t destination_geo.country_name United States
# destination_geo.dma_code 803
destination_geo.ip x.x.x.x
# destination_geo.latitude 34.058
destination_geo.location {
"lat": 34.0584,
"lon": -118.278
}
# destination_geo.longitude -118.278
t destination_geo.postal_code 90017
t destination_geo.region_code CA
t destination_geo.region_name California
t destination_geo.timezone America/Los_Angeles
destination_ip x.x.x.x
t destination_ips x.x.x.x
# destination_port 80
t event_type bro_conn
t history S
t host gateway
t ips x.x.x.x, x.x.x.x
t local_orig false
t local_respond false
# logstash_time 0.008
t message {"ts":"2018-06-22T15:51:13.705055Z","uid":"CkPQBG2TDluxuxVHZ1","id.orig_h":"37.203.233.156","id.orig_p":27320,"id.resp_h":"x.x.x.x","id.resp_p":80,"proto":"tcp","conn_state":"S0","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"S","orig_pkts":1,"orig_ip_bytes":40,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[],"orig_cc":"IT","resp_cc":"US","sensorname":"sosensor-la01p-enp5s0f1"}
# missed_bytes 0B
t original_country_code IT
# original_ip_bytes 40B
# original_packets 1
# port 45940
t protocol tcp
t respond_country_code US
# respond_ip_bytes 0B
# respond_packets 0
t sensor_name sosensor-la01p-enp5s0f1
t source_geo.city_name Storo
t source_geo.continent_code EU
t source_geo.country_code2 IT
t source_geo.country_code3 IT
t source_geo.country_name Italy
source_geo.ip 37.203.233.156
# source_geo.latitude 45.842
source_geo.location {
"lat": 45.8418,
"lon": 10.5492
}
# source_geo.longitude 10.549
t source_geo.postal_code 38089
t source_geo.region_code TN
t source_geo.region_name Trento
t source_geo.timezone Europe/Rome
source_ip 37.203.233.156
t source_ips 37.203.233.156
# source_port 27320
t syslog-facility user
t syslog-file_name /nsm/bro/logs/current/conn.log
t syslog-host sosensor-la01p
t syslog-host_from sosensor-la01p
t syslog-priority notice
syslog-sourceip 127.0.0.1
t syslog-tags .source.s_bro_conn
t tags syslogng, bro, external_destination, external_source
t timestamp 2018-06-22T15:51:19.646Z
t tunnel_parents
t uid CkPQBG2TDluxuxVHZ1
Chris V
Here is a reference config I have been looking at. I just have no clue where to start customizing.
https://discuss.elastic.co/t/clientip-field-is-not-identified-by-logstash-solved/64624/10
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.