Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

isuru
New Contributor II

Created on ‎03-13-2020 03:04 AM

FortiSIEM - Apache Web Server - Syslog Parser

Hi,

I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.

But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.

What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?

Cheers,
Isuru
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
Labels:
1081
0 Kudos
1 Solution
FSM_FTNT
Staff
Staff
In response to isuru

Created on ‎03-23-2020 09:23 AM

I made a quick change to the parser, it should at least recognize the events.  

You'll need to disable the existing Apache parser and the InfoBloxAuditParser.

Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.


<190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
<190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message

View solution in original post

Preview file
7 KB
1046
0 Kudos
3 REPLIES 3
FSM_FTNT
Staff
Staff

Created on ‎03-13-2020 07:47 AM

Hi Isuru,

Are you able to share any of your Apache logs and how you have apache logging configured?

I can look at modifying the parser for you.

Thanks

Dan
1046
0 Kudos
isuru
New Contributor II
In response to FSM_FTNT

Created on ‎03-17-2020 08:39 PM

Hi Dan,

Sorry for the late response. Please find the logs exported from FortiSIEM herewith. Moreover, I have attached a screenshot of the Rsyslog config file.

We could see that general Syslog messages are also unable to identify by the SIEM.

Appreciate your support.

Cheers,
Isuru
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
Logs.zip
Preview file
136 KB
Preview file
34 KB
1046
0 Kudos
FSM_FTNT
Staff
Staff
In response to isuru

Created on ‎03-23-2020 09:23 AM

I made a quick change to the parser, it should at least recognize the events.  

You'll need to disable the existing Apache parser and the InfoBloxAuditParser.

Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.


<190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
<190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Preview file
7 KB
1047
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.