Populating of source/destination if both source/client or server/destination is being used

[vbohata]

We use following fields for proxy logs:

• client.ip
• server.ip
• destination.ip

Or to describe it in details for one proxy system we use client/destination pair (client.ip - CLIENT; destination.ip, destination.network, ... - to ORIGIN server). In another proxy system it is client/server - here client is communicating primarily with proxy and sometimes the requests are being forwarded to some specified backends.

This makes sense for us and is readable. But this also creates a question if source/destination should be always be populated if one of the source/destination fields is already part of the event?

Maybe client/source/server/destination usage should be more discussed here as I found (squid logs parsing, haproxy parsing) source-client-server-destination convention is often used in different ways for different purposes.

Btw. I found there are systems (like SIEM solutions) which usually recognizes only src/dst (so in this case src is client.ip and dst should be server.ip). But this is not always win as I noticed it sometimes creates a mess. So I like this ECS separation.

[ruflin]

@MikePaquette @webmat I think your input is needed here.

[MikePaquette]

@vbohata good question - different systems indeed represent source/destination and client/server differently. As you say, ECS has chosen to have both client/server and source/destination fields so that we can accommodate most usages.

The web proxy event is a special case. It is definitely a session-level event, so ECS specifies that the client.* and server.* fields should be populated. But unlike other network flow events, in the case of the web proxy event, the server is defined as the ultimate destination of the web-request.

So I think you would first map the client and server fields to the client and origin server per the diagram below. Note the proxy details are captured in the observer.* fields.

Now for the harder question you raise about the source and destination. Since this is a session-level event, and we don't have the details of the packets going from client->proxy and proxy-server, then I would suggest that the client.* details should be copied to the source.* fields, and the server.* fields should be copied to the destination.* fields, regardless of the fact that destination was already populated in the original event.

[vbohata]

Will ECS define any rules of using combination of client/server or source/destination and their mixing or not mixing? For one of our proxy this makes sense for me:

• client.ip
• server.ip copied to destination.ip
• destination.network.name (not copied to server as destination network name is name assigned on proxy server itself like "Internal Network")

Observer can be easily used here.

Our second proxy is more complex device (IBM datapower gateway). This actually is not proxy but can act as it. So here we are using:

• client.ip
• server.ip (in this case it is the IP of the device itself as the datapower does not log the destination of the proxied request - if it is the proxy request).
• source.ip, destination.ip (for logs like "unable to communicate from IP to IP")

Here the observer does not make sense but instead of it there are couple of backends where some of them can be used as origin servers for proxied requests, some of them for different ways. So here we should use some "backend" field (as I posted here #158 before observer was here). But this leads to situation where for some proxy there are observer.* fields, for another there are backend.* fields.

[MikePaquette]

@vbohata sorry for the delay - here are a some thoughts regarding your questions.

Will ECS define any rules of using combination of client/server or source/destination and their mixing or not mixing?

ECS field definitions specify that:

• source and destination fields are usually populated together
• client and server fields are usually populated together
• client and server fields are populated for events regarding sessions, connections, or bidirectional flow records.
• even when client and server fields are used, you should try to populate source and destination fields as well.

I don't expect ECS to specify further mixing rules.

For one of our proxy this makes sense for me:
client.ip
server.ip copied to destination.ip
destination.network.name (not copied to server as destination network name is name assigned on proxy server itself like "Internal Network")
Observer can be easily used here.

Yes, the proxy here would be the observer.
BTW, could you also copy the client.ip to source.ip ?
Note that destination.network.name is not specified by ECS. Only network.name

Our second proxy is more complex device (IBM datapower gateway). This actually is not proxy but can act as it. So here we are using:
client.ip
server.ip (in this case it is the IP of the device itself as the datapower does not log the destination of the proxied request - if it is the proxy request).
source.ip, destination.ip (for logs like "unable to communicate from IP to IP")
Here the observer does not make sense but instead of it there are couple of backends where some of them can be used as origin servers for proxied requests, some of them for different ways. So here we should use some "backend" field (as I posted here #158 before observer was here). But this leads to situation where for some proxy there are observer.* fields, for another there are backend.* fields.

Ah I see. I think you are trying to capture enough information in a single event to put the whole session (client-IBM-backend-ultimate_destination) back together. You are correct that ECS does not have an appropriate set of fields for this type of four-entity transaction.

It is fine from ECS perspective to treat the IBM datapower as the endpoint of the connection, so using client/server and source/destination is consistent with ECS (see 1. below), but of course, this will not capture any information about the backend, nor about the ultimate destination of the logical session.

Does your backend also generate logs when acting as proxy? If so, then perhaps you can use both logs to stitch the connection back together. Note that only one of them (backend) is acting as a proxy, so it's OK that only its logs have the observer fields populated.

1. Log from IBM, detailing connection from client to IBM.
   client -> client (and source)
   IBM -> server (and destination)

2. Log from Backend, detailing connection from IBM to ultimate_destination
   backend->observer
   IBM->client (and source)
   ultimate_destination -> server (and destination)

This way when you do your flow analysis, you have enough data to trace the communication path accurately.

Does this make sense?

[webmat]

I would be in favour of keeping the pairs as defined in ECS (source & destination, client & server) where they map to the proxy, as this is the actual network connection being observed from the client.

Then I agree with the idea of using backend or upstream to document which server the call is effectively going to. Although the backend server is in a sense an "implementation detail", so I wouldn't document it in one of the above pairs.

@vbohata Sorry for not getting back to your suggestion on backend yet. We're hard at work bringing the Elastic Stack with ECS as it stands now. Progress on ECS itself will resume soon, don't worry ;-)

[vbohata]

@vbohata sorry for the delay - here are a some thoughts regarding your questions.

Will ECS define any rules of using combination of client/server or source/destination and their mixing or not mixing?

ECS field definitions specify that:

* source and destination fields are usually populated together

* client and server fields are usually populated together

* client and server fields are populated for events regarding sessions, connections, or bidirectional flow records.

* even when client and server fields are used, you should try to populate source and destination fields as well.

I don't expect ECS to specify further mixing rules.

For one of our proxy this makes sense for me:
client.ip
server.ip copied to destination.ip
destination.network.name (not copied to server as destination network name is name assigned on proxy server itself like "Internal Network")
Observer can be easily used here.

Yes, the proxy here would be the observer.
BTW, could you also copy the client.ip to source.ip ?
Note that destination.network.name is not specified by ECS. Only network.name

Yes, I can copy this IP. This reverse proxy in fact can be also configured as a forward proxy (we do not use this config), so its logs can also contain the NAT IP for outbound connections. I assume this should be also mapped to observer.ip if required?
Yes, I know there is no destination.network.name in ECS, but it is required in our case where there is some source network named somehow and the destination one. But this should be OK as in practice for all the fields we use our organization prefix to avoid collisions with evolving ECS (we have fields like orgprefix.source.host.ip, orgprefix.source.host.port, orgprefix.switch.port, ... will probably have orgprefix.source.switch.port etc.). In future we will be able to map (aliases, copying) some values to ECS.

Our second proxy is more complex device (IBM datapower gateway). This actually is not proxy but can act as it. So here we are using:
client.ip
server.ip (in this case it is the IP of the device itself as the datapower does not log the destination of the proxied request - if it is the proxy request).
source.ip, destination.ip (for logs like "unable to communicate from IP to IP")
Here the observer does not make sense but instead of it there are couple of backends where some of them can be used as origin servers for proxied requests, some of them for different ways. So here we should use some "backend" field (as I posted here #158 before observer was here). But this leads to situation where for some proxy there are observer.* fields, for another there are backend.* fields.

Ah I see. I think you are trying to capture enough information in a single event to put the whole session (client-IBM-backend-ultimate_destination) back together. You are correct that ECS does not have an appropriate set of fields for this type of four-entity transaction.

It is fine from ECS perspective to treat the IBM datapower as the endpoint of the connection, so using client/server and source/destination is consistent with ECS (see 1. below), but of course, this will not capture any information about the backend, nor about the ultimate destination of the logical session.

Does your backend also generate logs when acting as proxy? If so, then perhaps you can use both logs to stitch the connection back together. Note that only one of them (backend) is acting as a proxy, so it's OK that only its logs have the observer fields populated.

1. Log from IBM, detailing connection from client to IBM.
   client -> client (and source)
   IBM -> server (and destination)

2. Log from Backend, detailing connection from IBM to ultimate_destination
   backend->observer
   IBM->client (and source)
   ultimate_destination -> server  (and destination)

This way when you do your flow analysis, you have enough data to trace the communication path accurately.

Does this make sense?

OK. Thanks. It depends on datapower and/or backend configuration if we will have all the info required to capture the whole flow.

[webmat]

for all the fields we use our organization prefix to avoid collisions with evolving ECS

Good way to approach it 👍

[Randy-312]

Are you able to share any of your work or findings on mapping the Squid logs to ECS?