Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSIEM - Apache Web Server - Syslog Parser
Hi,
I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.
But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.
What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?
Cheers,
Isuru
I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.
But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.
What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?
Cheers,
Isuru
Cheers,
Isuru Malawige
Isuru Malawige
Solved! Go to Solution.
Cheers,Isuru Malawige
Labels:
- Labels:
-
SIEM
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made a quick change to the parser, it should at least recognize the events.
You'll need to disable the existing Apache parser and the InfoBloxAuditParser.
Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.
<190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
<190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
You'll need to disable the existing Apache parser and the InfoBloxAuditParser.
Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.
<190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
<190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Isuru,
Are you able to share any of your Apache logs and how you have apache logging configured?
I can look at modifying the parser for you.
Thanks
Dan
Are you able to share any of your Apache logs and how you have apache logging configured?
I can look at modifying the parser for you.
Thanks
Dan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dan,
Sorry for the late response. Please find the logs exported from FortiSIEM herewith. Moreover, I have attached a screenshot of the Rsyslog config file.
We could see that general Syslog messages are also unable to identify by the SIEM.
Appreciate your support.
Cheers,
Isuru
Sorry for the late response. Please find the logs exported from FortiSIEM herewith. Moreover, I have attached a screenshot of the Rsyslog config file.
We could see that general Syslog messages are also unable to identify by the SIEM.
Appreciate your support.
Cheers,
Isuru
Cheers,
Isuru Malawige
Isuru Malawige
Cheers,Isuru Malawige
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made a quick change to the parser, it should at least recognize the events.
You'll need to disable the existing Apache parser and the InfoBloxAuditParser.
Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.
<190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
<190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
You'll need to disable the existing Apache parser and the InfoBloxAuditParser.
Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.
<190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
<190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
