NGINX
Use the IBM® QRadar® NGINX Content Extension to closely monitor your NGINX deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar NGINX Content Extension 1.0.2
The following table shows the custom properties in IBM Security QRadar NGINX Content Extension 1.0.2.
| Name | Optimized | Capture Group | LEEF or regex expressions |
|---|---|---|---|
| Referrer URL | Yes | 1 | http_referer |
| URLHost | Yes | 1 | host:\s"(.*?)/ |
IBM Security QRadar NGINX Content Extension 1.0.1
The following table shows the custom properties in IBM Security QRadar NGINX Content Extension 1.0.1.
| Name | Optimized | Capture Group | LEEF expressions |
|---|---|---|---|
| Bytes Sent | Yes | 1 | body_bytes_sent |
| Referrer URL | No | 1 | http_referer |
| URL Path | No | 1 | uri_path |
| User Agent | No | 1 | http_user_agent |
IBM Security QRadar NGINX Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar NGINX Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Bytes Sent | Yes | 1 | body_bytes_sent=([\d|-]+) |
| Method | No | 1 | request=(GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH) request:\s"(GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH) |
| Referrer URL | No | 1 | referrer:\s"(.*?)" http_referer=(.*?)\t |
| Response Code | No | 1 | LEEF:[0-9\.]+\|NGINX\|NGINX\|[^\|]+\|([^\|]+)\| |
| URL Path | No | 1 | uri_path=(.*?)\t |
| URL Query String | No | 1 | request:\s"(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)\s([^\;\s]+) request=(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)\s([^\;\s]+) |
| UrlHost | Yes | 1 | host:\s"(.*?): |
| User Agent | No | 1 | http_user_agent=(.*?)\t |