NGINX Web Server

Modeling Rule

NGINX Web Server

Details

IDNGINXWebServer
From Version6.8.0
To Version6.9.9
TagsNGINX Web Server

Rules (XIF)

[MODEL: dataset="nginx_nginx_raw", model="Network"] 
 filter _raw_log contains "GET" or _raw_log contains "HEAD" or _raw_log contains "POST" or _raw_log contains "DELETE" or _raw_log contains "CONNECT" or _raw_log contains "OPTIONS" or _raw_log contains "TRACE" or _raw_log contains "PATCH" 
| alter Request_time = arrayindex(regextract(_raw_log , "\[(\d+\/\w+\/\d+\:\d+\:\d+\:\d+\s\S+)\]") , 0)
| alter Source_Ip = arrayindex(regextract(_raw_log , "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s)") ,0)
| alter  requested_line= arrayindex(regextract(_raw_log ,"\"(\w+\s[^\"]+)\"") ,0)
| alter response_code = arrayindex(regextract(_raw_log,"\"\s(\d+)") ,0)
| alter User_agent = arrayindex(regextract(_raw_log ,"\"\s\"([^\"]+)") ,0)
| alter Referrer= arrayindex(regextract(_raw_log ,"(http[^\"]+)"),0)
| alter bytes_size=arrayindex(regextract(_raw_log ,"\d\s(\d+)"),0)
// extract source_ip
| alter sourceipv4= arrayindex(regextract(_raw_log , "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s)") ,0)
| alter sourceipv6 = arrayindex(regextract(_raw_log ,"(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)") ,0)
| alter sourceip = coalesce(sourceipv4 ,sourceipv6)
// end extract source_ip
| alter Username = arrayindex(regextract(_raw_log,"(\S+)\s\[\d+\/") ,0)
| alter XDM.Network.event_timestamp= parse_timestamp("%d/%b/%Y:%H:%M:%S %Ez", Request_time)
| alter XDM.Network.http.url = requested_line
| alter XDM.Network.http.response_code = response_code  
//| alter XDM.Network.http.user_agent= User_agent
| alter XDM.Network.http.referrer =Referrer
| alter XDM.Network.Destination.bytes=to_number(bytes_size)
| alter XDM.Network.Source.ipv4 =source_ip
| alter XDM.Network.Source.user.username =Username;

[MODEL: dataset="nginx_nginx_raw", model="Audit"] 
alter timestamp = arrayindex(regextract(_raw_log , "(\d+\/\d+\/\d+\s\d+\:\d+\:\d+) ") , 0)
| alter log_level= arrayindex(regextract(_raw_log ,"\[(\w+)\]") ,0)
| alter Tid= arrayindex(regextract(_raw_log ,"\#(\d+)") ,0)     
| alter cid = arrayindex(regextract(_raw_log ,"\*(\d+)") ,0)
| alter uri=arrayindex(regextract(_raw_log ,"open\(\)\s\"?([^\s]+)"),0)
| alter error_message =arrayindex(regextract(_raw_log ,"\*\d+\s([^\,]+)"),0) 
// extract client
| alter client_address_ipv4= arrayindex(regextract(_raw_log ,"client:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0)
| alter client_address_ipv6 = arrayindex(regextract(_raw_log ,"client\:\s(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)") ,0)
| alter client_address  = coalesce(client_address_ipv4 , client_address_ipv6)
// end extract client
| alter Server =arrayindex(regextract(_raw_log ,"server\:([^\,]+)"),0)
| alter Request =arrayindex(regextract(_raw_log ,"request\:([^\,]+)"),0)
| alter Host =arrayindex(regextract(_raw_log ,"host\:\s\"?([^\"?\:]+)"),0)
| alter Referrer =arrayindex(regextract(_raw_log ,"referrer\:\s([^\s]+) "),0)
| alter destination_port =arrayindex(regextract(_raw_log ,"host\:\s\"?[^\"?\:]+\:(\d+)"),0)
| alter XDM.Audit.event_timestamp = parse_timestamp("%Y/%m/%d %X", timestamp)
| alter XDM.Audit.threat.severity = log_level
| alter XDM.Audit.identity.uuid=tid
| alter XDM.Audit.TriggeredBy.ipv4 =client_address       
| alter XDM.Audit.threat.description = error_message
| alter XDM.Audit.identity.name = server
| alter XDM.Audit.threat.description =request 
| alter XDM.Audit.identity.name  =host
| alter XDM.Audit.original_event_description =referrer 
| alter XDM.Audit.TriggeredBy.identity.uuid =  uri
| alter XDM.Audit.audited_resource.value  = destination_port;

Schema

nginx_nginx_raw

Field Type Array?
_raw_log string
Raw JSON
{
  "nginx_nginx_raw": {
    "_raw_log": {
      "type": "string",
      "is_array": false
    }
  }
}