[AWS] Support multiple forwarded IPs in cloudfront integration (elastic#4676)

Author: kaiyan-sheng

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.27.3"
+  changes:
+    - description: Support multiple forwarded IPs in cloudfront integration
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4676
 - version: "1.27.2"
   changes:
     - description: Update the pagination termination condition.

packages/aws/data_stream/cloudfront_logs/_dev/test/pipeline/test-cloudfront.log

@@ -6,3 +6,4 @@
 2019-12-13	22:37:02	SEA19-C2	900	89.160.20.112	GET	d111111abcdef8.cloudfront.net	/	502	-	curl/7.55.1	-	-	Error	kBkDzGnceVtWHqSCqBUqtA_cEs2T3tFUBbnBNkB9El_uVRhHgcZfcw==	www.example.com	http	387	0.103	-	-	-	Error	HTTP/1.1	-	-	12644	0.103	OriginDnsError	text/html	507	-	-
 2022-04-19 12:29:36 SEA19-C2 10157 81.2.69.143 POST d111111abcdef8.cloudfront.net /getApplications 200 https://test.com/global Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/100.0.4896.127%20Safari/537.36 source=global - Miss hrsHM5OM6sTIXUleC1G20YtDxMf5Cq0Jbz0pwhVpod2kgEn_W6akCQ== test.com https 1057 0.238 - TLSv1.3 TLS_AES_128_GCM_SHA256 Miss HTTP/2.0 - - 4203 0.238 Miss application/json;charset=UTF-8 - - -
 2022-04-19 12:29:36 SEA19-C2 10157 81.2.69.143 POST d111111abcdef8.cloudfront.net /getApplications 000 https://test.com/global Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/100.0.4896.127%20Safari/537.36 source=global - Miss hrsHM5OM6sTIXUleC1G20YtDxMf5Cq0Jbz0pwhVpod2kgEn_W6akCQ== test.com https 1057 0.238 - TLSv1.3 TLS_AES_128_GCM_SHA256 Miss HTTP/2.0 - - 4203 0.238 Miss application/json;charset=UTF-8 - - -
+2022-11-15 08:43:04 SEA19-C2 10157 81.2.69.143 GET d111111abcdef8.cloudfront.net /getApplications 200 https://test.com/global Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20HeadlessChrome/100.0.4896.88%20Safari/537.36 - - Miss hrsHM5OM6sTIXUleC1G20YtDxMf5Cq0Jbz0pwhVpod2kgEn_W6akCQ== test.com https 1057 0.093 81.2.69.142,216.160.83.56 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss HTTP/1.1 - - 33359 0.093 Miss application/javascript - - -

packages/aws/data_stream/cloudfront_logs/_dev/test/pipeline/test-cloudfront.log-expected.json

@@ -876,6 +876,116 @@
                 },
                 "version": "100.0.4896.127"
             }
+        },
+        {
+            "@timestamp": "2022-11-15T08:43:04.000Z",
+            "aws": {
+                "cloudfront": {
+                    "content_type": "application/javascript",
+                    "domain": "d111111abcdef8.cloudfront.net",
+                    "edge_detailed_result_type": "Miss",
+                    "edge_location": "SEA19-C2",
+                    "edge_response_result_type": "Miss",
+                    "edge_result_type": "Miss",
+                    "time_to_first_byte": 0.093
+                }
+            },
+            "cloud": {
+                "provider": "aws"
+            },
+            "destination": {
+                "address": "test.com",
+                "domain": "test.com"
+            },
+            "ecs": {
+                "version": "8.0.0"
+            },
+            "event": {
+                "category": "web",
+                "id": "hrsHM5OM6sTIXUleC1G20YtDxMf5Cq0Jbz0pwhVpod2kgEn_W6akCQ==",
+                "kind": "event",
+                "original": "2022-11-15 08:43:04 SEA19-C2 10157 81.2.69.143 GET d111111abcdef8.cloudfront.net /getApplications 200 https://test.com/global Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20HeadlessChrome/100.0.4896.88%20Safari/537.36 - - Miss hrsHM5OM6sTIXUleC1G20YtDxMf5Cq0Jbz0pwhVpod2kgEn_W6akCQ== test.com https 1057 0.093 81.2.69.142,216.160.83.56 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss HTTP/1.1 - - 33359 0.093 Miss application/javascript - - -",
+                "outcome": "success",
+                "type": [
+                    "access"
+                ]
+            },
+            "http": {
+                "request": {
+                    "bytes": 1057,
+                    "id": "hrsHM5OM6sTIXUleC1G20YtDxMf5Cq0Jbz0pwhVpod2kgEn_W6akCQ==",
+                    "method": "GET",
+                    "referrer": "https://test.com/global"
+                },
+                "response": {
+                    "bytes": 10157,
+                    "status_code": 200
+                },
+                "version": "1.1"
+            },
+            "network": {
+                "forwarded_ip": [
+                    "81.2.69.142",
+                    "216.160.83.56"
+                ],
+                "protocol": "https",
+                "type": "ipv4"
+            },
+            "related": {
+                "hosts": [
+                    "test.com",
+                    "d111111abcdef8.cloudfront.net"
+                ],
+                "ip": [
+                    "81.2.69.142",
+                    "216.160.83.56",
+                    "81.2.69.143"
+                ]
+            },
+            "source": {
+                "address": "81.2.69.143",
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.143",
+                "port": 33359
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "tls": {
+                "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+                "version": "1.2",
+                "version_protocol": "tls"
+            },
+            "url": {
+                "domain": "test.com",
+                "full": "https://test.com/getApplications",
+                "path": "/getApplications",
+                "registered_domain": "test.com",
+                "scheme": "https",
+                "top_level_domain": "com"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "HeadlessChrome",
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/100.0.4896.88 Safari/537.36",
+                "os": {
+                    "name": "Linux"
+                },
+                "version": "100.0.4896"
+            }
         }
     ]
 }

packages/aws/data_stream/cloudfront_logs/elasticsearch/ingest_pipeline/default.yml

@@ -31,11 +31,12 @@ processors:
   - grok:
       field: event.original
       patterns:
-        - '%{TIMESTAMP:_tmp.time}\s%{EDGE_LOCATION:aws.cloudfront.edge_location}\s%{INT:http.response.bytes:long}\s%{IP:source.address}\s%{WORD:http.request.method}\s%{HOSTNAME:aws.cloudfront.domain}\s%{UNIXPATH:url.path}\s%{INT:http.response.status_code:long}\s(-|%{DATA:http.request.referrer})\s%{DATA:_tmp.user_agent}\s(-|%{DATA:url.query})\s(-|%{DATA:aws.cloudfront.cookies})\s%{WORD:aws.cloudfront.edge_result_type}\s%{DATA:http.request.id}\s%{HOSTNAME:destination.address}\s%{WORD:network.protocol}\s%{INT:http.request.bytes:long}\s%{NUMBER:_tmp.duration:float}\s(-|%{IP:network.forwarded_ip})\s(-|%{TLS:tls.version_protocol}v%{NUMBER:tls.version})\s(-|%{DATA:tls.cipher})\s%{WORD:aws.cloudfront.edge_response_result_type}\s%{DATA:_tmp.protocol}\s(-|%{WORD:aws.cloudfront.fle_status})\s(-|%{DATA:aws.cloudfront.fle_encrypted_fields})\s(-|%{POSINT:source.port:long})\s(-|%{NUMBER:aws.cloudfront.time_to_first_byte:float})\s(-|%{WORD:aws.cloudfront.edge_detailed_result_type})\s%{DATA:aws.cloudfront.content_type}\s(-|%{INT:http.response.body.bytes:long})\s(-|%{DATA:aws.cloudfront.range_start})\s(-|%{DATA:aws.cloudfront.range_end})'
+        - '%{TIMESTAMP:_tmp.time}\s%{EDGE_LOCATION:aws.cloudfront.edge_location}\s%{INT:http.response.bytes:long}\s%{IP:source.address}\s%{WORD:http.request.method}\s%{HOSTNAME:aws.cloudfront.domain}\s%{UNIXPATH:url.path}\s%{INT:http.response.status_code:long}\s(-|%{DATA:http.request.referrer})\s%{DATA:_tmp.user_agent}\s(-|%{DATA:url.query})\s(-|%{DATA:aws.cloudfront.cookies})\s%{WORD:aws.cloudfront.edge_result_type}\s%{DATA:http.request.id}\s%{HOSTNAME:destination.address}\s%{WORD:network.protocol}\s%{INT:http.request.bytes:long}\s%{NUMBER:_tmp.duration:float}\s(-|%{FORWARDED_IPS:_tmp.forwarded_ip})\s(-|%{TLS:tls.version_protocol}v%{NUMBER:tls.version})\s(-|%{DATA:tls.cipher})\s%{WORD:aws.cloudfront.edge_response_result_type}\s%{DATA:_tmp.protocol}\s(-|%{WORD:aws.cloudfront.fle_status})\s(-|%{DATA:aws.cloudfront.fle_encrypted_fields})\s(-|%{POSINT:source.port:long})\s(-|%{NUMBER:aws.cloudfront.time_to_first_byte:float})\s(-|%{WORD:aws.cloudfront.edge_detailed_result_type})\s%{DATA:aws.cloudfront.content_type}\s(-|%{INT:http.response.body.bytes:long})\s(-|%{DATA:aws.cloudfront.range_start})\s(-|%{DATA:aws.cloudfront.range_end})'
       pattern_definitions:
         TIMESTAMP: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}'
         TLS: '(TLS|SSL)'
         EDGE_LOCATION: '[A-Z]{3}\d+(-[A-Z]+\d+)?'
+        FORWARDED_IPS: '(%{IP}?(,(\s*)%{IP})*)+'
   - gsub:
       field: _tmp.time
       pattern: \t
@@ -130,14 +131,20 @@ processors:
       field: source.as.organization_name
       target_field: source.as.organization.name
       ignore_missing: true
+  - split:
+      field: _tmp.forwarded_ip
+      target_field: related.ip
+      separator: ','
+      ignore_missing: true
   - append:
       field: related.ip
       value: "{{source.ip}}"
       if: ctx.source?.ip != null
-  - append:
-      field: related.ip
-      value: "{{network.forwarded_ip}}"
-      if: ctx.network?.forwarded_ip != null
+  - split:
+      field: _tmp.forwarded_ip
+      target_field: network.forwarded_ip
+      separator: ','
+      ignore_missing: true
   - append:
       field: related.hosts
       value: "{{destination.domain}}"

packages/aws/data_stream/cloudfront_logs/fields/ecs.yml

@@ -26,6 +26,8 @@
   name: http.response.status_code
 - external: ecs
   name: http.version
+- external: ecs
+  name: network.forwarded_ip
 - external: ecs
   name: network.protocol
 - external: ecs

packages/aws/docs/cloudfront.md

@@ -105,6 +105,7 @@ CloudFront standard logs provide detailed records about every request that’s m
 | http.response.bytes | Total size in bytes of the response (body and headers). | long |
 | http.response.status_code | HTTP response status code. | long |
 | http.version | HTTP version. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
 | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
 | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
 | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |

packages/aws/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: aws
 title: AWS
-version: 1.27.2
+version: 1.27.3
 license: basic
 description: Collect logs and metrics from Amazon Web Services with Elastic Agent.
 type: integration