Skip to content

Adds Incapsula log format #184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 22, 2020
Merged

Adds Incapsula log format #184

merged 8 commits into from
Jun 22, 2020

Conversation

sgiehl
Copy link
Member

@sgiehl sgiehl commented Jul 5, 2017
edited
Loading

Incapsula logs won't be auto detected as they break with the other detections

Based on #180

Fixes #179

@dinasty02091994
Copy link

Sorry to get back to you about this again so soon.
I've just tested your code and it works great once all the fields are populated. If the Status and Length fields is not populated however the regexp still fails. It seems like incapsula is populating these fields in some logs and in others they are leaving it blank. Here's some example entrys:

#Software: Incapsula LOGS API #Version: 1.1 #Date: 26/Jun/2017 18:24:33 #Fields: date time cs-vid cs-clapp cs-browsertype cs-js-support cs-co-support c-ip s-caip cs-clappsig s-capsupport s-suid cs(User-Agent) cs-sessionid s-siteid cs-countrycode s-tag cs-cicode s-computername cs-lat cs-long s-accountname cs-uri cs-postbody cs-version sc-action s-externalid cs(Referrer) s-ip s-port cs-method cs-uri-query sc-status s-xff cs-bytes cs-start cs-rule cs-severity cs-attacktype cs-attackid s-ruleName "2017-06-26" "18:21:17" "daf5e234-24fc-4a69-985c-ab923529b393" "Firefox" "Browser" "false" "true" "125.125.125.125" "" "030404c9ac184e57a6c956e6bfad11dc23186ea6cf166908c6bc7db81aab7170e33740ea4d2972210f96e3365d25eb25a222f316a4f9221f39e56035fa9a49c80f9eedd9b846bb0491abe72a4b988e7cd3e7117283cee9f556726334972b7ce9" "NA" "774502" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 Lightning/4.7.8" "000000830000750000" "85437078" "SE" "XX" "Town" "www.company.xx.se" "66.3333" "66.3333" "Company" "www.company.xx.se/rss/news" "" "HTTP" "REQ_BAD_SERVER_CLOSED_CONNECTION" "3004162128217401" "" "125.125.125.125" "80" "GET" "" "" "125.125.125.125" "" "1498501277430" "" "" "" "" "" "2017-06-26" "18:21:28" "3ec258f3-2a80-4146-9c49-84f573fd04b2" "Facebook Mobile App" "Feed Fetcher" "false" "true" "125.125.125.125" "" "963aee14f88f88aa5584d7746dafb6f4a08b86251c389a4b174fece7b469018791e0cb291380983caea64b087ba03b3faa608dbd48361b31657c33c29d52cf01581b3f9f1fa5c0d53c1a4d4bd2afc387" "NA" "774502" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_4 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G35 [FBAN/FBIOS;FBAV/88.1.0.64.70;FBBV/00030059;FBDV/iPhone6,2;FBMD/iPhone;FBSN/iPhone OS;FBSV/9.3.4;FBSS/2;FBCR/Telenor;FBID/phone;FBLC/en_GB;FBOP/5;FBRV/0]" "197001950219247607" "44850949" "SE" "XX" "Town" "www.example.se" "66.3333" "66.3333" "Company" "www.Company.se/Static/js/vendor/ReadSpeaker/mods/enlargeHL/ReadSpeaker.enlargeHL.js" "" "HTTP" "REQ_CACHED_FRESH" "232519809907362866" "" "" "" "GET" "v=...2887" "200" "" "3950" "1498501288289" "" "" "" "" "" "2017-06-26" "18:21:32" "44e23081-191c-404c-846b-f38eba837a58" "Facebook Mobile App" "Feed Fetcher" "false" "true" "125.125.125.125" "" "728178ac71b5e94f369d8aabdb9c9153b2c21cedaa142c639dda86c272131d8a7dcca32fb54e62286528f174705fe09f8c2572ad7ad7dadb0fe02a34ae4c3d504c035017bf9a6a7802bb898226378938" "NA" "774502" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27 [FBAN/FBIOS;FBAV/98.0.0.48.70;FBBV/00060097;FBDV/iPhone7,2;FBMD/iPhone;FBSN/iOS;FBSV/10.2.1;FBSS/2;FBCR/Telenor;FBID/phone;FBLC/sv_SE;FBOP/5;FBRV/0]" "456000640270803229" "44850949" "SE" "XX" "Town" "www.example.se" "69.2" "69.2" "Company" "www.Company.se/Static/js/vendor/ReadSpeaker/ReadSpeaker.Styles.css" "" "HTTP" "REQ_CACHED_FRESH" "725328094088922117" "" "" "" "GET" "v=2.5.7.2887" "200" "" "3524" "1498501292534" "" "" "" "" "" "2017-06-26" "18:21:32" "44e23081-191c-404c-846b-f38eba837a58" "Facebook Mobile App" "Feed Fetcher" "false" "true" "125.125.125.125" "" "728178ac71b5e94f369d8aabdb9c9153b2c21cedaa142c639dda86c272131d8a7dcca32fb54e62286528f174705fe09f8c2572ad7ad7dadb0fe02a34ae4c3d504c035017bf9a6a7802bb898226378938" "NA" "774502" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27 [FBAN/FBIOS;FBAV/98.0.0.48.70;FBBV/00060097;FBDV/iPhone7,2;FBMD/iPhone;FBSN/iOS;FBSV/10.2.1;FBSS/2;FBCR/Telenor;FBID/phone;FBLC/sv_SE;FBOP/5;FBRV/0]" "456000640270803229" "44850949" "SE" "XX" "Town" "www.example.se" "69.2" "69.2" "Company" "www.Company.se/Static/js/vendor/example/example.core.js" "" "HTTP" "REQ_CACHED_FRESH" "807626496478282762" "" "" "" "GET" "v=2.5.7.2887" "200" "" "7708" "1498501292542" "" "" "" "" ""

@sgiehl
Copy link
Member Author

sgiehl commented Jul 6, 2017

Ok. Having them blank won't with the regex. But that should be easy to fix. I've pushed an update. Would you mind to test it again?

@dinasty02091994
Copy link

Just tested it with the log above and unfortunately it doesen't work. Unless each log entry is populated with data in the status and length fields the script will hang forever. Oncce populated the import goes through without any problems.
This is the regex im getting from the script when trying to run it against the log above:

"?(?P<date>\d+[-\d+]+)"?\s+"?(?P<time>[\d+:]+)[.\d]*?"?\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+"(?P<ip>[\w*.:-]*)"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+"(?P<user_agent>.*?)"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+"(?P<host>\S+)/(?P<path>\S+)"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+"(?P<query_string>\S*)"\s+"(?P<status>\d+?)"\s+".*?"\s+"(?P<length>\d+?)"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"\s+".*?"

@sgiehl
Copy link
Member Author

sgiehl commented Jul 7, 2017

@dinasty02091994 please try again, hope it is fixed now.

@dinasty02091994
Copy link

@sgiehl I just tried with the updates and it was still hanging the same way as before. I made the following change to the code to make it work:

Before the change Line 362:
'cs-uri': '"(?P<host>[^\/\s]+)/(?P<path>\S+)"',

after the change line 362:
'cs-uri': '"(?P<host>[^\/\s]+)(?P<path>\S+)"',

I think this has to do with some requests being made directly to the topsite without any slashes which made the script hang. This seemed to be due to the regex looking for atleast one slash in the path field. Not sure if this was the correct way to solve it but i thought you should know about it anyways.

Now all my logs imports the way they should without any problems :)
Thank you very much for looking into this!

@sgiehl
Copy link
Member Author

sgiehl commented Jul 10, 2017

Good catch. Will change that.

@mattab mattab modified the milestone: Current sprint Jul 10, 2017
@dinasty02091994
Copy link

dinasty02091994 commented Jul 11, 2017
edited
Loading

I also made the following change. I noticied that the script continued hanging on some logs while others worked fine.

I analyzed what was wrong and got to the following conclusion:

Since the path field sometimes contain non standard characters ( swedish website ) i had to change the following:

Line 362 before change:

'cs-uri': '"(?P<host>[^\/\s]+)(?P<path>\S+)"',

Line 362 after change:

'cs-uri': '"(?P<host>[^\/\s]+)(?P<path>.*?)"',

After this change i've imported well over 1000 logfiles without any problem at all.

@sgiehl
Copy link
Member Author

sgiehl commented Jul 11, 2017

@dinasty02091994 we are using ´\S´ almost everywhere to match the strings. Reason why it doesn't match in your case might be the locale used on your system. \S is locale dependant.
Maybe we could use the unicode flag to get in independant. Needs to be checked

@magnus-84
Copy link

Hello

Just one mention regarding this part is what incapsula support different log formats. None worked before. The format this is more specific for is Incapsula method of W3C. They support CEF and LEEF to but the fixes here is done for Incapsula W3C. So maybe the name of the log-format-name should be incapsula_w3c ?

Regards
Magnus

@sgiehl
Copy link
Member Author

sgiehl commented Jul 12, 2017

@magnus-84 thx for your note. I'll change the name. Do you have log examples for the other formats? Can the other format types also be used to be imported to Piwik? If so, do you maybe have example logs? Maybe we could add them later as well.

@sgiehl
Copy link
Member Author

sgiehl commented Jul 12, 2017

@dinasty02091994 do you have an example log line that wasn't imported cause of unmatched characters?

@magnus-84
Copy link

@sgiehl Here is some example of CEF and LEEF logs. Let me know if you need more. I can´t test it since we are not currently using it. It´s parts of logs from when we tested going in to production.

Incapsula CEF format example log

CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=262000500012870279 sourceServiceName=www.example.se siteid=44850949 suid=774502 requestClientApplication=Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0) cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support src=123.123.123.123 cs1=NA cs1Label=Cap Support cs4=fe747c2f-3f46-45ba-97e1-efd3f8cc8646 cs4Label=VID cs5=22c153a569931a8adb0730d147007186a16be1aa51cc9a296406f116cdf401ba466691f0bb5c14c82387f7faed8e892dfc712bcbb2559ef868a34e36f2904c61 cs5Label=clappsig dproc=Unclassified cs6=Bot cs6Label=clapp ccode=[US] tag=LK cicode=Mountain View cs7=37.4192 cs7Label=latitude cs8=-122.0574 cs8Label=longitude Customer=Examplecust start=1498509920937 request=www.example.se/rss/feed/79539 requestMethod=GET cn1=301 app=HTTP act=REQ_PASSED deviceExternalId=20679399964017444 sip=234.234.234.234 spt=80 in=519 xff=123.123.123.123
CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=221002240223601023 sourceServiceName=www.example.se siteid=63604402 suid=774502 requestClientApplication=BLP_bbot/0.1 cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support src=134.134.134.134 cs1=NA cs1Label=Cap Support cs4=84b328b1-452a-4b50-913d-cec1afebefc7 cs4Label=VID cs5=2a72789c747d5e0a5384bcdf0028b5021707a6977e145304a6e8c27de18b9fd31f782628229ab9713f299855210ce4f5cfa245755b45fb82c39c974899e4d45fd7118e8a1179fcdbb1a5e559825342f1 cs5Label=clappsig dproc=Unclassified cs6=Bot cs6Label=clapp ccode=[US] tag=LK cicode=New York cs7=40.7588 cs7Label=latitude cs8=-73.968 cs8Label=longitude Customer=Examplecust start=1498510242831 request=www.example.se/speeches/ requestMethod=GET cn1=200 app=HTTP act=REQ_CACHED_FRESH deviceExternalId=534174638920240647 in=8533

Incapsula LEEF format example log
LEEF:1.0|Incapsula|SIEMintegration|1.0|Normal| fileId=624000190252450035 sourceServiceName=www.example.se siteid=44850949 suid=774502 requestClientApplication=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/537.86.7 cs2=false cs2Label=Javascript Support cs3=true cs3Label=CO Support src=2001:2001:2001:2001:2002:2003 cs1=NA cs1Label=Cap Support cs4=46bf0688-caac-4637-a403-880e9f1e07ff cs4Label=VID cs5=728178ac71b5e94f369d8aabdb9c9153ab050a186fb78b36fca8537931efdff918f838ef6356f6ade11fc64d9b98281bcb354a11c29ba320723885df07b35537fdc60c0da620282b02dfb8051e7a60f9 cs5Label=clappsig dproc=Browser cs6=Safari cs6Label=clapp calCountryOrRegion=[US] tag=LK cs7=37.751 cs7Label=latitude cs8=-97.822 cs8Label=longitude Customer=Examplecust start=1498510226110 url=www.example.se/artiklar/2017/02/ requestMethod=GET cn1=200 proto=HTTP cat=REQ_CACHED_FRESH deviceExternalId=301278851910074673 in=9190
LEEF:1.0|Incapsula|SIEMintegration|1.0|Normal| fileId=220011060172333165 sourceServiceName=www.example.se siteid=44850949 suid=774502 requestClientApplication=Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Mobile/14F89 [FBAN/FBIOS;FBAV/98.0.0.48.70;FBBV/62465497;FBDV/iPhone8,1;FBMD/iPhone;FBSN/iOS;FBSV/10.3.2;FBSS/2;FBCR/AT&T;FBID/phone;FBLC/en_US;FBOP/5;FBRV/0] cs2=false cs2Label=Javascript Support cs3=true cs3Label=CO Support src=123.123.123.123 cs1=NA cs1Label=Cap Support cs4=808edd62-cfcd-47d5-8ac2-045a4f265a80 cs4Label=VID cs5=043f62e9b1d6bd397bbfbff14d626ae683995c9bfd1f8e2bf12d2af4cacfb6bb3cb21a639dc1aa3d6cef36f5da1cbd15ab95c462a408d25f17237d56dc9157c135a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsig dproc=Feed Fetcher cs6=Facebook Mobile App cs6Label=clapp calCountryOrRegion=[US] tag=LM cicode=Virginia Beach cs7=36.8267 cs7Label=latitude cs8=-76.0179 cs8Label=longitude Customer=Examplecust start=1498510257041 url=www.example.se/static/css/img/ajax-loader.gif requestMethod=GET cn1=200 proto=HTTP cat=REQ_CACHED_FRESH deviceExternalId=638868405245199658 in=5448

Link to beter formated logs.
http://p.itslav.nu/kaXLqFtdJVujjR1

mattab
mattab previously requested changes Dec 11, 2017
View reviewed changes
@tsteur tsteur changed the base branch from master to 3.x-dev January 13, 2020 22:46
@diosmosis diosmosis merged commit c07986e into 3.x-dev Jun 22, 2020
@diosmosis diosmosis deleted the incapsula branch June 22, 2020 11:17
@innocraft-automation innocraft-automation removed this from the Current sprint milestone Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattab mattab mattab left review comments

Assignees
No one assigned
Labels
Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@sgiehl @dinasty02091994 @magnus-84 @mattab @diosmosis @innocraft-automation