Skip to main content
IsuruTharanga
IsuruTharanga
Visitor III
March 13, 2020
Question

FortiSIEM - Apache Web Server - Syslog Parser

  • March 13, 2020
  • 1 reply
  • 783 views
Hi,

I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.

But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.

What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?

Cheers,
Isuru

    1 reply

    FSM_FTNT
    Staff
    FSM_FTNT
    Staff
    March 13, 2020
    Hi Isuru,

    Are you able to share any of your Apache logs and how you have apache logging configured?

    I can look at modifying the parser for you.

    Thanks

    Dan-------------------------------------------
    Original Message:
    Sent: 03-13-2020 06:04
    From: Isuru Tharanga
    Subject: FortiSIEM - Apache Web Server - Syslog Parser

    Hi,

    I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.

    But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.

    What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?

    Cheers,
    Isuru
    IsuruTharanga
    IsuruTharangaAuthor
    Visitor III
    March 18, 2020
    Hi Dan,

    Sorry for the late response. Please find the logs exported from FortiSIEM herewith. Moreover, I have attached a screenshot of the Rsyslog config file.

    We could see that general Syslog messages are also unable to identify by the SIEM.

    Appreciate your support.

    Cheers,
    Isuru-------------------------------------------
    Original Message:
    Sent: 03-13-2020 10:46
    From: Daniel Hanman
    Subject: FortiSIEM - Apache Web Server - Syslog Parser

    Hi Isuru,

    Are you able to share any of your Apache logs and how you have apache logging configured?

    I can look at modifying the parser for you.

    Thanks

    Dan
    Original Message:
    Sent: 03-13-2020 06:04
    From: Isuru Tharanga
    Subject: FortiSIEM - Apache Web Server - Syslog Parser

    Hi,

    I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.

    But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.

    What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?

    Cheers,
    Isuru
    FSM_FTNT
    Staff
    FSM_FTNT
    Staff
    March 23, 2020
    I made a quick change to the parser, it should at least recognize the events.  

    You'll need to disable the existing Apache parser and the InfoBloxAuditParser.

    Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.


    <190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
    <190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message

    -------------------------------------------
    Original Message:
    Sent: 03-17-2020 23:39
    From: Isuru Tharanga
    Subject: FortiSIEM - Apache Web Server - Syslog Parser

    Hi Dan,

    Sorry for the late response. Please find the logs exported from FortiSIEM herewith. Moreover, I have attached a screenshot of the Rsyslog config file.

    We could see that general Syslog messages are also unable to identify by the SIEM.

    Appreciate your support.

    Cheers,
    Isuru
    Original Message:
    Sent: 03-13-2020 10:46
    From: Daniel Hanman
    Subject: FortiSIEM - Apache Web Server - Syslog Parser

    Hi Isuru,

    Are you able to share any of your Apache logs and how you have apache logging configured?

    I can look at modifying the parser for you.

    Thanks

    Dan
    Original Message:
    Sent: 03-13-2020 06:04
    From: Isuru Tharanga
    Subject: FortiSIEM - Apache Web Server - Syslog Parser

    Hi,

    I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.

    But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.

    What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?

    Cheers,
    Isuru
    Terms & ConditionsAccessibility statement