Versions Compared

Version Old Version 6 New Version Current
Changes made by

Aaron Gabriel (Deactivated)

Aaron Gabriel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:

...


Topics Discussed

Table of Contents
maxLevel3
minLevel3

Insert excerpt
Obtain Log Relay for Remote Log Collection
Obtain Log Relay for Remote Log Collection
nameRemote Log Collection Permissions
nopaneltrue

You can use this document to send Apache logs to Armor's Security Information & Event Management (SIEM).

Configure Your Apache Service

Configuring Apache services uses the Command Line Interface (CLI) feature. For more information, see Security Service CLI Commands.

The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.

Command

Arguments

Result

  • apache-enable

Enables filebeat IIS/apache/nginx. When run, module yml file will change from disabled state to enable state.

  • apache- disable

Disables Filebeat IIS/apache/nginx. When run the module yml file will change from enable state to disable mode.

  • apache-add-access-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'access_paths' section.

  • apache-remove-access-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'access_paths' section.

  • apache-add-error-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'error_paths' section.

  • apache-remove-error-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section.

  • apache-sync-config

The command sync the module yml file on vm with latest changes which are required.

  • apache-describe-config

The command displays current access & error paths which are configured in module yml file.

Command Usage:

Code Block

...

armor logging apache-enable

armor logging apache-disable

armor logging apache-add-access-paths <required paths needs to add here>

armor logging apache-remove-access-paths <required paths needs to add here>

armor logging apache-add-error-paths <required paths needs to add here>

armor logging apache-remove-error-paths <required paths needs to add here>

armor logging apache-sync-config

armor logging apache-describe-config

Additional Information

Apache will need configuration for a specific log format. This is normally done in the httpd.conf file. Documentation for the log_config_module can be found at http://httpd.apache.org/docs/current/mod/mod_log_config.html

Configure Log Format Directive Apache Docs
Without Reverse Proxy

Code Block

...

LogFormat "httpd: %h %A %l %u %t \"%r\" %>s %p %b \"%{Referer}i\" \"%{User-agent}i\"" armor_noproxy_202004


With Reverse Proxy

Code Block

...

LogFormat "httpd: %a %A %l %u %t \"%r\" %>s %p %b \"%{Referer}i\" \"%{User-agent}i\"" armor_proxy_202004


Configure Custom Log Directive Apache Docs
The filename supplied to CustomLog will need to be added as a file path with the Security Service CLI Commands.

Code Block

...

...

CustomLog "logs/access_log" armor_noproxy_202004
Note

Configure Custom Log Directive will create a filename that is then used with the command:

Code Block
themeMidnight
firstline1
armor logging apache-add-access-paths


Full Example

Code Block

...

<IfModule log_config_module>
LogFormat "httpd: %a %A %l %u %t \"%r\" %>s %p %b \"%{Referer}i\" \"%{User-agent}i\"" armor_noproxy_202004
CustomLog "logs/access_log" armor_noproxy_202004
</IfModule>
Info

Troubleshooting

Verify that logs are formatted correctly, similar to the following example:

Code Block
themeMidnight
firstline1
httpd: 192.0.2.0 192.0.2.0 - - [29/Apr/2020:12:18:03 +0000] "GET /cmd.exe HTTP/1.0" 404 80 196 "-" "curl/7.61.1"
Code Block
themeMidnight
firstline1
httpd: 198.51.100.0 192.0.2.0 - - [29/Apr/2020:10:47:38 +0000] "GET / HTTP/1.1" 200 80 1580 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
Code Block
themeMidnight
firstline1
httpd: 203.0.113.0 192.0.2.0 - - [29/Apr/2020:13:12:58 +0000] "GET http://example.com/ HTTP/1.1" 200 80 1580 "-" "Security Scanner"

Missing Logs

If Apache logs locally do not match what's in Armor Log Search, verify the file size of the logs ingested. Filebeat has a maximum file size of 10MB. Anything over 10MB will require updates to the Filebeat Apache configuration, with the max-bytes property set to the desired value.

Note: Running #armor logging apache-sync-config will overwrite the custom setting already in the configuration file.

...

Topics Discussed

...