Topics Discussed
To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:
Write Virtual Machine
Delete Log Management
Read Log Endpoints
Read Log Relays
Write Log Relays
Delete Log Relays
You can use this document to send NGINX logs to Armor's Security Information & Event Management (SIEM).
Configure Your NGINX Service
Configuring Apache services uses the Command Line Interface (CLI) feature. For more information, see Security Service CLI Commands.
The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.
Command Usage:
armor logging nginx-enable armor logging nginx-disable armor logging nginx-add-access-paths <required paths needs to add here> armor logging nginx-remove-access-paths <required paths needs to add here> armor logging nginx-add-error-paths <required paths needs to add here> armor logging nginx-remove-error-paths <required paths needs to add here> armor logging nginx-sync-config armor logging nginx-describe-config
Additional Information
NGINX will need configuration for a specific log format. This is normally done in the nginx.conf file. Documentation for the ngx_http_log_module can be found at http://nginx.org/en/docs/http/ngx_http_log_module.html
Configure Log Format Directive NGINX Docs
log_format armor_202004 'LEEF:1.0|NGINX|NGINX|$nginx_version|$status|' 'devTime=$time_local\t' 'devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z\t' 'src=$remote_addr\t' 'dst=$server_addr\t' 'dstPort=$server_port\t' 'proto=$server_protocol\t' 'usrName=$remote_user\t' 'request=$request\t' 'body_bytes_sent=$body_bytes_sent\t' 'http_referer=$http_referer\t' 'http_true_client_ip=$http_true_client_ip\t' 'http_user_agent=$http_user_agent\t' 'http_x_header=$http_x_header\t' 'http_x_forwarded_for=$http_x_forwarded_for\t' 'request_time=$request_time\t' 'upstream_response_time=$upstream_response_time\t' 'pipe=$pipe\t' 'uri_query=$query_string\t' 'uri_path=$uri\t' 'cookie=$http_cookie';
Configure Access Log Directive NGINX Docs
access_log /var/log/nginx/access.log armor_202004;
Configure Access Log Directive will create a filename that is then used with the command:
armor logging nginx-add-access-paths
Full Example
http { log_format armor_202004 'LEEF:1.0|NGINX|NGINX|$nginx_version|$status|' 'devTime=$time_local\t' 'devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z\t' 'src=$remote_addr\t' 'dst=$server_addr\t' 'dstPort=$server_port\t' 'proto=$server_protocol\t' 'usrName=$remote_user\t' 'request=$request\t' 'body_bytes_sent=$body_bytes_sent\t' 'http_referer=$http_referer\t' 'http_true_client_ip=$http_true_client_ip\t' 'http_user_agent=$http_user_agent\t' 'http_x_header=$http_x_header\t' 'http_x_forwarded_for=$http_x_forwarded_for\t' 'request_time=$request_time\t' 'upstream_response_time=$upstream_response_time\t' 'pipe=$pipe\t' 'uri_query=$query_string\t' 'uri_path=$uri\t' 'cookie=$http_cookie'; access_log /var/log/nginx/access.log armor_202004;
Troubleshooting
Verify that logs are formatted correctly, similar to the following examples:
LEEF:1.0|NGINX|NGINX|1.16.1|404|devTime=17/Apr/2020:13:15:58 +0000 devTimeFormat=dd/MMM/yyyy:HH:mm:ssZ src=198.51.100.20 dst=192.0.2.0 dstPort=80 proto=HTTP/1.1 usrName=- request=GET /nginx-logo.pn HTTP/1.1 body_bytes_sent=3665 http_referer=http://203.0.113.30/ http_true_client_ip=- http_user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.100 Safari/537.36 http_x_header=- http_x_forwarded_for=- request_time=0.000 upstream_response_time=- pipe=. uri_query=- uri_path=/404.html cookie=-
LEEF:1.0|NGINX|NGINX|1.16.1|200|devTime=22/Apr/2020:13:06:50 +0000 devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z src=203.0.113.20 dst=192.0.2.0 dstPort=80 proto=HTTP/1.1 usrName=- request=GET http://[::ffff:a9fe:a9fe]/ HTTP/1.1 body_bytes_sent=1580 http_referer=- http_true_client_ip=- http_user_agent=AWS Security Scanner http_x_header=- http_x_forwarded_for=- request_time=0.000 upstream_response_time=0.000 pipe=. uri_query=- uri_path=/ cookie=-
LEEF:1.0|NGINX|NGINX|1.16.1|404|devTime=17/Apr/2020:13:15:58 +0000 devTimeFormat=dd/MMM/yyyy:HH:mm:ssZ src=198.51.100.20 dst=192.0.2.0 dstPort=80 proto=HTTP/1.1 usrName=- request=GET /nginx-logo.pn HTTP/1.1 body_bytes_sent=3665 http_referer=http://203.0.113.30/ http_true_client_ip=- http_user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/198.51.100.100 Safari/537.36 http_x_header=- http_x_forwarded_for=- request_time=0.000 upstream_response_time=- pipe=. uri_query=- uri_path=/404.html cookie=-
LEEF:1.0|NGINX|NGINX|1.16.1|200|devTime=22/Apr/2020:13:06:50 +0000 devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z src=203.0.113.20 dst=192.0.2.0 dstPort=80 proto=HTTP/1.1 usrName=- request=GET http://[::ffff:a9fe:a9fe]/ HTTP/1.1 body_bytes_sent=1580 http_referer=- http_true_client_ip=- http_user_agent=AWS Security Scanner http_x_header=- http_x_forwarded_for=- request_time=0.000 upstream_response_time=0.000 pipe=. uri_query=- uri_path=/ cookie=-