Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Topics Discussed

Table of Contents
maxLevel3
minLevel3
Note

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

You can use this document to send NGINX logs to Armor's Security Information & Event Management (SIEM).

Configure Your NGINX Service


Configuring Apache services uses the Command Line Interface (CLI) feature. For more information, see Security Service CLI Commands.

The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.

Command

Arguments

Result

  • nginx-enable

Enables filebeat IIS/apache/nginx. When run, module yml file will change from disabled state to enable state.

  • nginx- disable

Disables Filebeat IIS/apache/nginx. When run the module yml file will change from enable state to disable mode.

  • nginx-add-access-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'access_paths' section.

  • nginx-remove-access-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'access_paths' section.

  • nginx-add-error-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'error_paths' section.

  • nginx-remove-error-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section.

  • nginx-sync-config

The command sync the module yml file on vm with latest changes which are required.

  • nginx-describe-config

The command displays current access & error paths which are configured in module yml file.


Command Usage:

Code Block
armor logging nginx-enable

armor logging nginx-disable

armor logging nginx-add-access-paths <required paths needs to add here>

armor logging nginx-remove-access-paths <required paths needs to add here>

armor logging nginx-add-error-paths <required paths needs to add here>

armor logging nginx-remove-error-paths <required paths needs to add here>

armor logging nginx-sync-config

armor logging nginx-describe-config

Additional Information

NGINX will need configuration for a specific log format. This is normally done in the nginx.conf file. Documentation for the ngx_http_log_module can be found at http://nginx.org/en/docs/http/ngx_http_log_module.html

Configure Log Format Directive NGINX Docs

Code Block
log_format armor_202004 'LEEF:1.0|NGINX|NGINX|$nginx_version|$status|'
'devTime=$time_local\t'
'devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z\t'
'src=$remote_addr\t'
'dst=$server_addr\t'
'dstPort=$server_port\t'
'proto=$server_protocol\t'
'usrName=$remote_user\t'
'request=$request\t'
'body_bytes_sent=$body_bytes_sent\t'
'http_referer=$http_referer\t'
'http_true_client_ip=$http_true_client_ip\t'
'http_user_agent=$http_user_agent\t'
'http_x_header=$http_x_header\t'
'http_x_forwarded_for=$http_x_forwarded_for\t'
'request_time=$request_time\t'
'upstream_response_time=$upstream_response_time\t'
'pipe=$pipe\t'
'uri_query=$query_string\t'
'uri_path=$uri\t'
'cookie=$http_cookie';


Configure Access Log Directive NGINX Docs

Code Block
access_log /var/log/nginx/access.log armor_202004;
Note

Configure Access Log Directive will create a filename that is then used with the command:

Code Block
themeMidnight
firstline1
armor logging nginx-add-access-paths

Full Example

Code Block
http {
log_format armor_202004 'LEEF:1.0|NGINX|NGINX|$nginx_version|$status|'
'devTime=$time_local\t'
'devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z\t'
'src=$remote_addr\t'
'dst=$server_addr\t'
'dstPort=$server_port\t'
'proto=$server_protocol\t'
'usrName=$remote_user\t'
'request=$request\t'
'body_bytes_sent=$body_bytes_sent\t'
'http_referer=$http_referer\t'
'http_true_client_ip=$http_true_client_ip\t'
'http_user_agent=$http_user_agent\t'
'http_x_header=$http_x_header\t'
'http_x_forwarded_for=$http_x_forwarded_for\t'
'request_time=$request_time\t'
'upstream_response_time=$upstream_response_time\t'
'pipe=$pipe\t'
'uri_query=$query_string\t'
'uri_path=$uri\t'
'cookie=$http_cookie';
access_log /var/log/nginx/access.log armor_202004;

code
Info

Troubleshooting

Verify that logs are formatted correctly, similar to the following examples:

Code Block
themeMidnight
firstline1
LEEF:1.0|NGINX|NGINX|1.16.1|404|devTime=17/Apr/2020:13:15:58 +0000 devTimeFormat=dd/MMM/yyyy:HH:mm:ssZ src=198.51.100.20 dst=192.0.2.0 dstPort=80 proto=HTTP/1.1 usrName=- request=GET /nginx-logo.pn HTTP/1.1 body_bytes_sent=3665 http_referer=http://203.0.113.30/ http_true_client_ip=- http_user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.100 Safari/537.36 http_x_header=- http_x_forwarded_for=- request_time=0.000 upstream_response_time=- pipe=. uri_query=- uri_path=/404.html cookie=-
LEEF:
Code Block
themeMidnight
firstline
1
1
.0|NGINX|NGINX|1.16.1|200|devTime=22/Apr/2020:13:06:50 +0000 devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z src=203.0.113.20 dst=192.0.2.0 dstPort=80 proto=HTTP/1.1 usrName=- request=GET http://[::ffff:a9fe:a9fe]/ HTTP/1.1 body_bytes_sent=1580 http_referer=- http_true_client_ip=- http_user_agent=AWS Security Scanner http_x_header=- http_x_forwarded_for=- request_time=0.000 upstream_response_time=0.000 pipe=. uri_query=- uri_path=/ cookie=-
Code Block
LEEF:1.0|NGINX|NGINX|1.16.1|404|devTime=17/Apr/2020:13:15:58 +0000 devTimeFormat=dd/MMM/yyyy:HH:mm:ssZ src=198.51.100.20 dst=192.0.2.0 dstPort=80 proto=HTTP/1.1 usrName=- request=GET /nginx-logo.pn HTTP/1.1 body_bytes_sent=3665 http_referer=http://203.0.113.30/ http_true_client_ip=- http_user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.100 Safari/537.36 http_x_header=- http_x_forwarded_for=- request_time=0.000 upstream_response_time=- pipe=. uri_query=- uri_path=/404.html cookie=-
LEEF:1.0|NGINX|NGINX|1.16.1|200|devTime=22/Apr/2020:13:06:50 +0000 devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z src=203.0.113.20 dst=192.0.2.0 dstPort=80 proto=HTTP/1.1 usrName=- request=GET http://[::ffff:a9fe:a9fe]/ HTTP/1.1 body_bytes_sent=1580 http_referer=- http_true_client_ip=- http_user_agent=AWS Security Scanner http_x_header=- http_x_forwarded_for=- request_time=0.000 upstream_response_time=0.000 pipe=. uri_query=- uri_path=/ cookie=-