Apache Web Server
- What is Discovered and Monitored
- Event Types
- Reports
- Configuration
- Define the Apache Log Format
- Apache Syslog Log Format
- Settings for Access Credentials
What is Discovered and Monitored
Protocol |
Information discovered |
Metrics collected |
Used for |
---|---|---|---|
SNMP |
Application type |
Process level metrics: CPU utilization, Memory utilization |
Performance Monitoring |
HTTP(S) via the mod-status module |
Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers |
Performance Monitoring |
|
Syslog |
Application type |
W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration |
Security Monitoring and compliance |
Event Types
In ADMIN > Device Support > Event Types, search for "apache" to see the event types associated with this device.
Reports
In RESOURCES > Reports, search for "apache" in the main content panel Search... field to see the reports associated with this device.
Configuration
The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:
/etc
/etc/httpd
/usr/local
Adjust your configuration according to your installed Apache directory.
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
HTTPS
To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.
- Log in to your web server as an administrator.
- Open the configuration file
/etc/Httpd.conf
. -
Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
Without AuthenticationLoadModule status_module modules/mod_status.so ... ExtendedStatus on ... #Configuration without authentication <Location /server-status> SetHandler server-status Order Deny,Allow Deny from all Allow from .foo.com </Location>
LoadModule status_module modules/mod_status.so ... ExtendedStatus on ... #Configuration with authentication <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from all AuthType Basic AuthUserFile /etc/httpd/account/users AuthGroupFile /etc/httpd/account/groups AuthName "Admin" Require group admin Satisfy all </Location>
- If you are using authentication, you will have to add user authentication credentials.
- Go to
/etc/httpd
, and if necessary, create anaccount
directory. - In the
account
directory, create two files,users
andgroups
. - In the
groups
file, enteradmin:admin
. Create a password for the admin user.
htpasswd --c users admin
- Go to
-
Reload Apache.
/etc/init.d/httpd reload
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
Install and configure Epilog application to send syslog to FortiSIEM
- Download Epilog from snare, information to download here, and install it on your Windows Server.
- For Windows, launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows
- For Linux, enter
http://<yourApacheServerIp>:6162
- Configure Epilog application as follows
- Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
/etc/httpd/logs/access_log
/etc/httpd/logs/ssl_access_log
- Go to Network Configuration
- Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
- Set 514 in Destination Port text area
- Click Change Configuration to save the configuration
- Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time.
- Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
Define the Apache Log Format
You must define the format of the logs that Apache will send to FortiSIEM.
- Open the file
/etc/httpd/conf.d/ssl.conf
for editing. - Add this line to the file.
CustomLog logs/ssl_request_log combined
-
Uncomment this line in the file.
#CustomLog logs/access_log common
-
Add this line to the file.
CustomLog logs/access_log combined
-
Reload Apache.
/etc/init.d/httpd reload
Apache Syslog Log Format
<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog 192.168.20.35 - - [17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"<134>Mar 4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting | Value |
---|---|
Name | <set name> |
Device Type | Generic |
Access Protocol | SNMP |
Community String | <your own> |
Settings for Apache Web Server HTTPS Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.
Setting | Value |
---|---|
Name | Apache-https |
Device Type | generic |
Access Protocol | HTTP or HTTPS |
Port | 80 (HTTP) or 443 (HTTPS) |
URL | server-status?auto |
User Name | The admin account you created when configuring HTTPS |
Password | The password associated with the admin account |