I made a quick change to the parser, it should at least recognize the events.
You'll need to disable the existing Apache parser and the
InfoBloxAuditParser.
Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.
<190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
<190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
-------------------------------------------
Original Message:
Sent: 03-17-2020 23:39
From: Isuru Tharanga
Subject: FortiSIEM - Apache Web Server - Syslog Parser
Hi Dan,
Sorry for the late response. Please find the logs exported from FortiSIEM herewith. Moreover, I have attached a screenshot of the Rsyslog config file.
We could see that general Syslog messages are also unable to identify by the SIEM.
Appreciate your support.
Cheers,
Isuru
Original Message:
Sent: 03-13-2020 10:46
From: Daniel Hanman
Subject: FortiSIEM - Apache Web Server - Syslog Parser
Hi Isuru,
Are you able to share any of your Apache logs and how you have apache logging configured?
I can look at modifying the parser for you.
Thanks
Dan
Original Message:
Sent: 03-13-2020 06:04
From: Isuru Tharanga
Subject: FortiSIEM - Apache Web Server - Syslog Parser
Hi,
I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.
But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.
What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?
Cheers,
Isuru
