diff --git a/nginx/assets/logs/nginx.yaml b/nginx/assets/logs/nginx.yaml old mode 100644 new mode 100755 index e43e21e1a833c..367559b6ebe5f --- a/nginx/assets/logs/nginx.yaml +++ b/nginx/assets/logs/nginx.yaml @@ -117,13 +117,13 @@ pipeline: samples: - HEAD http://174.138.82.103:80/sql/sql-admin/ HTTP/1.1 - type: url-parser - name: '' + name: "" enabled: true sources: - http.url target: http.url_details - type: user-agent-parser - name: '' + name: "" enabled: true sources: - http.useragent @@ -139,16 +139,16 @@ pipeline: enabled: true categories: - filter: - query: '@http.status_code:[200 TO 299]' + query: "@http.status_code:[200 TO 299]" name: OK - filter: - query: '@http.status_code:[300 TO 399]' + query: "@http.status_code:[300 TO 399]" name: notice - filter: - query: '@http.status_code:[400 TO 499]' + query: "@http.status_code:[400 TO 499]" name: warning - filter: - query: '@http.status_code:[500 TO 599]' + query: "@http.status_code:[500 TO 599]" name: error target: http.status_category - type: status-remapper @@ -157,3 +157,239 @@ pipeline: sources: - http.status_category - level + - type: pipeline + name: OCSF sub pipeline for HTTP Activity [4002] + enabled: true + ocsf: + isOcsf: true + filter: + query: "@http.method:*" + processors: + - type: string-builder-processor + name: Add ocsf.metadata.product.name + enabled: true + template: "nginx" + target: ocsf.metadata.product.name + replaceMissing: false + - type: string-builder-processor + name: Add ocsf.metadata.product.vendor_name + enabled: true + template: "F5" + target: ocsf.metadata.product.name + replaceMissing: false + - type: grok-parser + name: Parsing `ocsf.http_request.url.query_string` from `http.url` + enabled: true + source: http.url + samples: + - /datadoghq/company?test=var1%20Pl + grok: + supportRules: "" + matchRules: | + extract_query_string %{regex("[^?@#]+")}\?%{regex(".*"):ocsf.http_request.url.query_string} + - type: schema-processor + name: Apply OCSF schema for 4002 + enabled: true + mappers: + - type: schema-category-mapper + name: ocsf.activity_id + categories: + - filter: + query: "@http.method:CONNECT" + name: Connect + id: 1 + - filter: + query: "@http.method:DELETE" + name: Delete + id: 2 + - filter: + query: "@http.method:GET" + name: Get + id: 3 + - filter: + query: "@http.method:HEAD" + name: Head + id: 4 + - filter: + query: "@http.method:OPTIONS" + name: Options + id: 5 + - filter: + query: "@http.method:POST" + name: Post + id: 6 + - filter: + query: "@http.method:PUT" + name: Put + id: 7 + - filter: + query: "@http.method:TRACE" + name: Trace + id: 8 + - filter: + query: "@http.method:PATCH" + name: Patch + id: 9 + - filter: + query: "@http.method:*" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + - type: schema-category-mapper + name: ocsf.severity_id + categories: + - filter: + query: "@http.method:*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + - type: schema-category-mapper + name: ocsf.status_id + categories: + - filter: + query: "@http.status_code:[200 TO 399]" + name: Success + id: 1 + - filter: + query: "@http.status_code:[400 TO 599]" + name: Failure + id: 2 + - filter: + query: "*" + name: Unknown + id: 99 + targets: + name: ocsf.status + id: ocsf.status_id + - type: schema-remapper + name: Map `host` to `ocsf.dst_endpoint.ip` + sources: + - host + target: ocsf.dst_endpoint.ip + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.method` to `ocsf.http_request.http_method` + sources: + - http.method + target: ocsf.http_request.http_method + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.referer` to `ocsf.http_request.referrer` + sources: + - http.referer + target: ocsf.http_request.referrer + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.url_details.path` to `ocsf.http_request.url.path` + sources: + - http.url_details.path + target: ocsf.http_request.url.path + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.url_details.port` to `ocsf.http_request.url.port` + sources: + - http.url_details.port + target: ocsf.http_request.url.port + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.http_request.url.query_string` to `ocsf.http_request.url.query_string` + sources: + - ocsf.http_request.url.query_string + target: ocsf.http_request.url.query_string + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.useragent` to `ocsf.http_request.user_agent` + sources: + - http.useragent + target: ocsf.http_request.user_agent + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.status_code` to `ocsf.http_response.code` + sources: + - http.status_code + target: ocsf.http_response.code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.status_category` to `ocsf.http_response.status` + sources: + - http.status_category + target: ocsf.http_response.status + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.method` to `ocsf.metadata.event_code` + sources: + - http.method + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `network.client.ip` to `ocsf.src_endpoint.ip` + sources: + - network.client.ip + target: ocsf.src_endpoint.ip + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.os.family` to `ocsf.src_endpoint.os` + sources: + - http.os.family + target: ocsf.src_endpoint.os + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `http.status_code` to `ocsf.status_code` + sources: + - http.status_code + target: ocsf.status_code + preserveSource: true + targetFormat: string + overrideOnConflict: true + - type: schema-remapper + name: Map `duration` to `ocsf.duration` + sources: + - duration + target: ocsf.duration + preserveSource: true + targetFormat: double + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + target: ocsf.metadata.product.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + target: ocsf.metadata.product.vendor_name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `date_access` to `ocsf.time` + sources: + - date_access + target: ocsf.time + preserveSource: true + overrideOnConflict: true + schema: + schemaType: ocsf + version: 1.5.0 + className: HTTP Activity + classUid: 4002 + extensions: [] + profiles: [] diff --git a/nginx/assets/logs/nginx_tests.yaml b/nginx/assets/logs/nginx_tests.yaml old mode 100644 new mode 100755 index 0ed058745fa61..fb6db11eb5bf5 --- a/nginx/assets/logs/nginx_tests.yaml +++ b/nginx/assets/logs/nginx_tests.yaml @@ -1,185 +1,321 @@ id: "nginx" tests: - - - sample: "127.0.0.1 - frank [13/Jul/2016:10:55:36 +0000] \"GET /apache_pb.gif HTTP/1.0\" 200 2326" - result: - custom: - date_access: 1468407336000 - http: - auth: "frank" - method: "GET" - status_category: "OK" - status_code: 200 - url: "/apache_pb.gif" - url_details: - path: "/apache_pb.gif" - version: "1.0" - network: - bytes_written: 2326 - client: - ip: "127.0.0.1" - message: "127.0.0.1 - frank [13/Jul/2016:10:55:36 +0000] \"GET /apache_pb.gif HTTP/1.0\" 200 2326" - status: "ok" - tags: - - "source:LOGS_SOURCE" - timestamp: 1468407336000 - - - sample: "172.17.0.1 - - [06/Jan/2017:16:16:37 +0000] \"GET /datadoghq/company?test=var1%20Pl HTTP/1.1\" 404 612 \"http://www.perdu.com/\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\" \"-\"" - result: - custom: - date_access: 1483719397000 - http: - method: "GET" - referer: "http://www.perdu.com/" - status_category: "warning" - status_code: 404 - url: "/datadoghq/company?test=var1%20Pl" - url_details: - path: "/datadoghq/company" - queryString: - test: "var1%20Pl" - useragent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" - useragent_details: - browser: - family: "Chrome" - major: "55" - minor: "0" - patch: "2883" - patch_minor: "87" - device: - category: "Desktop" - family: "Other" - os: - family: "Linux" - version: "1.1" - network: - bytes_written: 612 - client: - ip: "172.17.0.1" - message: "172.17.0.1 - - [06/Jan/2017:16:16:37 +0000] \"GET /datadoghq/company?test=var1%20Pl HTTP/1.1\" 404 612 \"http://www.perdu.com/\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\" \"-\"" - status: "warn" - tags: - - "source:LOGS_SOURCE" - timestamp: 1483719397000 - - - sample: "172.17.0.1 - - [06/Jan/2017:16:16:37 +0000] \"GET /datadoghq/company?test=var1%20Pl HTTP/1.1\" 200 612 \"http://www.perdu.com/\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\" \"-\" those are random characters" - result: - custom: - date_access: 1483719397000 - http: - method: "GET" - referer: "http://www.perdu.com/" - status_category: "OK" - status_code: 200 - url: "/datadoghq/company?test=var1%20Pl" - url_details: - path: "/datadoghq/company" - queryString: - test: "var1%20Pl" - useragent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" - useragent_details: - browser: - family: "Chrome" - major: "55" - minor: "0" - patch: "2883" - patch_minor: "87" - device: - category: "Desktop" - family: "Other" - os: - family: "Linux" - version: "1.1" - network: - bytes_written: 612 - client: - ip: "172.17.0.1" - message: "172.17.0.1 - - [06/Jan/2017:16:16:37 +0000] \"GET /datadoghq/company?test=var1%20Pl HTTP/1.1\" 200 612 \"http://www.perdu.com/\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\" \"-\" those are random characters" - status: "ok" - tags: - - "source:LOGS_SOURCE" - timestamp: 1483719397000 - - - sample: "2017/09/26 14:36:50 [error] 8409#8409: *317058 \"/usr/share/nginx/html/sql/sql-admin/index.html\" is not found (2: No such file or directory), client: 217.92.148.44, server: localhost, request: \"HEAD http://174.138.82.103:80/sql/sql-admin/ HTTP/1.1\", host: \"174.138.82.103\"" - result: - custom: - date_access: 1506436610000 - error: - message: "8409#8409: *317058 \"/usr/share/nginx/html/sql/sql-admin/index.html\" is not found (2: No such file or directory)" - host: "174.138.82.103" - http: - method: "HEAD" - url: "http://174.138.82.103:80/sql/sql-admin/" - url_details: - host: "174.138.82.103" - path: "/sql/sql-admin/" - port: 80 - scheme: "http" - version: "1.1" - level: "error" - network: - client: - ip: "217.92.148.44" - request: "HEAD http://174.138.82.103:80/sql/sql-admin/ HTTP/1.1" - server: "localhost" - message: "2017/09/26 14:36:50 [error] 8409#8409: *317058 \"/usr/share/nginx/html/sql/sql-admin/index.html\" is not found (2: No such file or directory), client: 217.92.148.44, server: localhost, request: \"HEAD http://174.138.82.103:80/sql/sql-admin/ HTTP/1.1\", host: \"174.138.82.103\"" - status: "error" - tags: - - "source:LOGS_SOURCE" - timestamp: 1506436610000 - - - sample: "2017/09/26 14:36:50 [info] 14#14: *285 client 172.17.0.27 closed keepalive connection" - result: - custom: - date_access: 1506436610000 - error: - message: "14#14: *285 client 172.17.0.27 closed keepalive connection" - level: "info" - message: "2017/09/26 14:36:50 [info] 14#14: *285 client 172.17.0.27 closed keepalive connection" - status: "info" - tags: - - "source:LOGS_SOURCE" - timestamp: 1506436610000 - - - sample: "127.0.0.1 - - [19/Feb/2015:15:50:36 -0500] \"GET /big.pdf HTTP/1.1\" 206 33973115 0.202 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36\"" - result: - custom: - date_access: 1424379036000 - duration: 2.02E8 - http: - method: "GET" - referer: "-" - status_category: "OK" - status_code: 206 - url: "/big.pdf" - url_details: - path: "/big.pdf" - useragent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36" - useragent_details: - browser: - family: "Chrome" - major: "40" - minor: "0" - patch: "2214" - patch_minor: "111" - device: - brand: "Apple" - category: "Desktop" - family: "Mac" - model: "Mac" - os: - family: "Mac OS X" - major: "10" - minor: "10" - patch: "1" - version: "1.1" - network: - bytes_written: 33973115 - client: - ip: "127.0.0.1" - message: "127.0.0.1 - - [19/Feb/2015:15:50:36 -0500] \"GET /big.pdf HTTP/1.1\" 206 33973115 0.202 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36\"" - status: "ok" - tags: - - "source:LOGS_SOURCE" - timestamp: 1424379036000 - + - sample: '127.0.0.1 - frank [13/Jul/2016:10:55:36 +0000] "GET /apache_pb.gif HTTP/1.0" 200 2326' + result: + custom: + date_access: 1468407336000 + http: + auth: "frank" + method: "GET" + status_category: "OK" + status_code: 200 + url: "/apache_pb.gif" + url_details: + path: "/apache_pb.gif" + version: "1.0" + network: + bytes_written: 2326 + client: + ip: "127.0.0.1" + ocsf: + activity_id: 3 + activity_name: "Get" + category_name: "Network Activity" + category_uid: 4 + class_name: "HTTP Activity" + class_uid: 4002 + http_request: + http_method: "GET" + url: + path: "/apache_pb.gif" + http_response: + code: 200 + status: "OK" + metadata: + event_code: "GET" + product: + name: "F5" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "127.0.0.1" + status: "Success" + status_code: "200" + status_id: 1 + time: 1468407336000 + message: '127.0.0.1 - frank [13/Jul/2016:10:55:36 +0000] "GET /apache_pb.gif HTTP/1.0" 200 2326' + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1468407336000 + - sample: '172.17.0.1 - - [06/Jan/2017:16:16:37 +0000] "GET /datadoghq/company?test=var1%20Pl HTTP/1.1" 404 612 "http://www.perdu.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"' + result: + custom: + date_access: 1483719397000 + http: + method: "GET" + referer: "http://www.perdu.com/" + status_category: "warning" + status_code: 404 + url: "/datadoghq/company?test=var1%20Pl" + url_details: + path: "/datadoghq/company" + queryString: + test: "var1%20Pl" + useragent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "55" + minor: "0" + patch: "2883" + patch_minor: "87" + device: + category: "Desktop" + family: "Other" + os: + family: "Linux" + version: "1.1" + network: + bytes_written: 612 + client: + ip: "172.17.0.1" + ocsf: + activity_id: 3 + activity_name: "Get" + category_name: "Network Activity" + category_uid: 4 + class_name: "HTTP Activity" + class_uid: 4002 + http_request: + http_method: "GET" + referrer: "http://www.perdu.com/" + url: + path: "/datadoghq/company" + query_string: "test=var1%20Pl" + user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" + http_response: + code: 404 + status: "warning" + metadata: + event_code: "GET" + product: + name: "F5" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "172.17.0.1" + status: "Failure" + status_code: "404" + status_id: 2 + time: 1483719397000 + message: '172.17.0.1 - - [06/Jan/2017:16:16:37 +0000] "GET /datadoghq/company?test=var1%20Pl HTTP/1.1" 404 612 "http://www.perdu.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"' + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1483719397000 + - sample: '172.17.0.1 - - [06/Jan/2017:16:16:37 +0000] "GET /datadoghq/company?test=var1%20Pl HTTP/1.1" 200 612 "http://www.perdu.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-" those are random characters' + result: + custom: + date_access: 1483719397000 + http: + method: "GET" + referer: "http://www.perdu.com/" + status_category: "OK" + status_code: 200 + url: "/datadoghq/company?test=var1%20Pl" + url_details: + path: "/datadoghq/company" + queryString: + test: "var1%20Pl" + useragent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "55" + minor: "0" + patch: "2883" + patch_minor: "87" + device: + category: "Desktop" + family: "Other" + os: + family: "Linux" + version: "1.1" + network: + bytes_written: 612 + client: + ip: "172.17.0.1" + ocsf: + activity_id: 3 + activity_name: "Get" + category_name: "Network Activity" + category_uid: 4 + class_name: "HTTP Activity" + class_uid: 4002 + http_request: + http_method: "GET" + referrer: "http://www.perdu.com/" + url: + path: "/datadoghq/company" + query_string: "test=var1%20Pl" + user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" + http_response: + code: 200 + status: "OK" + metadata: + event_code: "GET" + product: + name: "F5" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "172.17.0.1" + status: "Success" + status_code: "200" + status_id: 1 + time: 1483719397000 + message: '172.17.0.1 - - [06/Jan/2017:16:16:37 +0000] "GET /datadoghq/company?test=var1%20Pl HTTP/1.1" 200 612 "http://www.perdu.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-" those are random characters' + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1483719397000 + - sample: '2017/09/26 14:36:50 [error] 8409#8409: *317058 "/usr/share/nginx/html/sql/sql-admin/index.html" is not found (2: No such file or directory), client: 217.92.148.44, server: localhost, request: "HEAD http://174.138.82.103:80/sql/sql-admin/ HTTP/1.1", host: "174.138.82.103"' + result: + custom: + date_access: 1506436610000 + error: + message: '8409#8409: *317058 "/usr/share/nginx/html/sql/sql-admin/index.html" is not found (2: No such file or directory)' + host: "174.138.82.103" + http: + method: "HEAD" + url: "http://174.138.82.103:80/sql/sql-admin/" + url_details: + host: "174.138.82.103" + path: "/sql/sql-admin/" + port: 80 + scheme: "http" + version: "1.1" + level: "error" + network: + client: + ip: "217.92.148.44" + ocsf: + activity_id: 4 + activity_name: "Head" + category_name: "Network Activity" + category_uid: 4 + class_name: "HTTP Activity" + class_uid: 4002 + dst_endpoint: + ip: "174.138.82.103" + http_request: + http_method: "HEAD" + url: + path: "/sql/sql-admin/" + port: 80 + metadata: + event_code: "HEAD" + product: + name: "F5" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "217.92.148.44" + status: "Unknown" + status_id: 99 + time: 1506436610000 + request: "HEAD http://174.138.82.103:80/sql/sql-admin/ HTTP/1.1" + server: "localhost" + message: '2017/09/26 14:36:50 [error] 8409#8409: *317058 "/usr/share/nginx/html/sql/sql-admin/index.html" is not found (2: No such file or directory), client: 217.92.148.44, server: localhost, request: "HEAD http://174.138.82.103:80/sql/sql-admin/ HTTP/1.1", host: "174.138.82.103"' + status: "error" + tags: + - "source:LOGS_SOURCE" + timestamp: 1506436610000 + - sample: "2017/09/26 14:36:50 [info] 14#14: *285 client 172.17.0.27 closed keepalive connection" + result: + custom: + date_access: 1506436610000 + error: + message: "14#14: *285 client 172.17.0.27 closed keepalive connection" + level: "info" + message: "2017/09/26 14:36:50 [info] 14#14: *285 client 172.17.0.27 closed keepalive connection" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1506436610000 + - sample: '127.0.0.1 - - [19/Feb/2015:15:50:36 -0500] "GET /big.pdf HTTP/1.1" 206 33973115 0.202 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36"' + result: + custom: + date_access: 1424379036000 + duration: 2.02E8 + http: + method: "GET" + referer: "-" + status_category: "OK" + status_code: 206 + url: "/big.pdf" + url_details: + path: "/big.pdf" + useragent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "40" + minor: "0" + patch: "2214" + patch_minor: "111" + device: + brand: "Apple" + category: "Desktop" + family: "Mac" + model: "Mac" + os: + family: "Mac OS X" + major: "10" + minor: "10" + patch: "1" + version: "1.1" + network: + bytes_written: 33973115 + client: + ip: "127.0.0.1" + ocsf: + activity_id: 3 + activity_name: "Get" + category_name: "Network Activity" + category_uid: 4 + class_name: "HTTP Activity" + class_uid: 4002 + duration: 2.02E8 + http_request: + http_method: "GET" + referrer: "-" + url: + path: "/big.pdf" + user_agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36" + http_response: + code: 206 + status: "OK" + metadata: + event_code: "GET" + product: + name: "F5" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "127.0.0.1" + status: "Success" + status_code: "206" + status_id: 1 + time: 1424379036000 + message: '127.0.0.1 - - [19/Feb/2015:15:50:36 -0500] "GET /big.pdf HTTP/1.1" 206 33973115 0.202 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36"' + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1424379036000