Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Apache Web Server

Apache Web Server

Support Added: FortiSIEM 4.8.1

Last Modification: FortiSIEM 6.4.0

Vendor Version Tested: Not Provided

Vendor: The Apache Software Foundation and the Apache HTTP Server Project

Product: Web Server

Product Information: https://httpd.apache.org/

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Application type

Process level metrics: CPU utilization, Memory utilization

Performance Monitoring

HTTP(S) via the mod-status module

Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers

Performance Monitoring

Syslog

Application type

W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "apache" to see the event types associated with this device.

Reports

In RESOURCES > Reports, search for "apache" in the main content panel Search... field to see the reports associated with this device.

Configuration

The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:

/etc

/etc/httpd

/usr/local

Adjust your configuration according to your installed Apache directory.

Syslog via Rsyslog

To use rsyslog to collect and send Apache logs via syslog, take the following steps:
Notes:

  • Rsyslog Tag= is case sensitive, so ensure it is entered properly.

  • For steps 4 and 5, change the path as required to direct it to your ssl_access.log and ssl_error.log files.

  • For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.

  1. Locate where your Apache installation is writing log files, such as error or access logs. Here is a typical location:

    /var/log/httpd/ssl_access_log

    /var/log/httpd/ssl_error_log

  2. Locate rsyslog.conf. Here is a typical location:

    /etc/rsyslog.conf

  3. Add imfile module to your rsyslog.conf file in the modules section.

    module(load="imfile" PollingInterval="10")

  4. Place the following inputs below the modules section for Apache access log in your rsyslog.conf file.

    input(type="imfile" File="/var/log/httpd/ssl_access_log"

    Tag="Apache_AccessLog:"

    Severity="error"

    Facility="local6")

  5. Place the following inputs below for Apache error log in your rsyslog.conf file.

    input(type="imfile" File="/var/log/httpd/ssl_error_log"

    Tag="Apache_ErrorLog:"

    Severity="info"

    Facility="local6")

  6. Place the following in the rules section in your rsyslog.conf file.

    local6.* @<FortiSIEM collector IP or hostname>:514

  7. Restart rsyslog by running the following command.

    systemctl restart rsyslog

  8. Confirm that logs are arriving. Ensure that your firewall(s) allow UDP 514 inbound to target IP.

Example Log

<179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

HTTPS

To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.

  1. Log in to your web server as an administrator.
  2. Open the configuration file /etc/Httpd.conf.
  3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
    Without Authentication
       LoadModule status_module modules/mod_status.so
       ...
       ExtendedStatus on
       ...
       #Configuration without authentication
       <Location /server-status>       SetHandler server-status
           Order Deny,Allow
           Deny from all
           Allow from .foo.com
       </Location>
    

    With Authentication
       LoadModule status_module modules/mod_status.so
       ...
       ExtendedStatus on
       ...
       #Configuration with authentication
       <Location /server-status>      SetHandler server-status
          Order deny,allow
          Deny from all
          Allow from all
          AuthType Basic
          AuthUserFile /etc/httpd/account/users
          AuthGroupFile /etc/httpd/account/groups
          AuthName "Admin"      Require group admin
          Satisfy all
      </Location>
  4. If you are using authentication, you will have to add user authentication credentials.
    1. Go to /etc/httpd, and if necessary, create an account directory.
    2. In the account directory, create two files, users and groups.
    3. In the groups file, enter admin:admin.
    4. Create a password for the admin user.

      htpasswd --c users admin
  5. Reload Apache.
    /etc/init.d/httpd reload

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Syslog via Snare Logging Agent

Install and configure Epilog application to send syslog to FortiSIEM

  1. Download Epilog from snare, information to download here, and install it on your Windows Server.
  2. For Windows, launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows
  3. For Linux, enter http://<yourApacheServerIp>:6162
  4. Configure Epilog application as follows
    1. Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
      • /etc/httpd/logs/access_log
      • /etc/httpd/logs/ssl_access_log
    2. Go to Network Configuration
      1. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
      2. Set 514 in Destination Port text area
      3. Click Change Configuration to save the configuration
    3. Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time.

Define the Apache Log Format

You must define the format of the logs that Apache will send to FortiSIEM.

  1. Open the file /etc/httpd/conf.d/ssl.conf for editing.
  2. Add this line to the file.
    CustomLog logs/ssl_request_log combined
    
  3. Uncomment this line in the file.
    #CustomLog logs/access_log common
    
  4. Add this line to the file.
    CustomLog logs/access_log combined
    
  5. Reload Apache.
    /etc/init.d/httpd reload

Apache Syslog Log Format

<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog   192.168.20.35 - - [17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"<134>Mar  4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Settings for Apache Web Server HTTPS Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.

Setting Value
Name Apache-https
Device Type generic
Access Protocol HTTP or HTTPS
Port 80 (HTTP) or 443 (HTTPS)
URL server-status?auto
User Name The admin account you created when configuring HTTPS
Password The password associated with the admin account

Apache Web Server

Apache Web Server

Support Added: FortiSIEM 4.8.1

Last Modification: FortiSIEM 6.4.0

Vendor Version Tested: Not Provided

Vendor: The Apache Software Foundation and the Apache HTTP Server Project

Product: Web Server

Product Information: https://httpd.apache.org/

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Application type

Process level metrics: CPU utilization, Memory utilization

Performance Monitoring

HTTP(S) via the mod-status module

Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers

Performance Monitoring

Syslog

Application type

W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "apache" to see the event types associated with this device.

Reports

In RESOURCES > Reports, search for "apache" in the main content panel Search... field to see the reports associated with this device.

Configuration

The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:

/etc

/etc/httpd

/usr/local

Adjust your configuration according to your installed Apache directory.

Syslog via Rsyslog

To use rsyslog to collect and send Apache logs via syslog, take the following steps:
Notes:

  • Rsyslog Tag= is case sensitive, so ensure it is entered properly.

  • For steps 4 and 5, change the path as required to direct it to your ssl_access.log and ssl_error.log files.

  • For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.

  1. Locate where your Apache installation is writing log files, such as error or access logs. Here is a typical location:

    /var/log/httpd/ssl_access_log

    /var/log/httpd/ssl_error_log

  2. Locate rsyslog.conf. Here is a typical location:

    /etc/rsyslog.conf

  3. Add imfile module to your rsyslog.conf file in the modules section.

    module(load="imfile" PollingInterval="10")

  4. Place the following inputs below the modules section for Apache access log in your rsyslog.conf file.

    input(type="imfile" File="/var/log/httpd/ssl_access_log"

    Tag="Apache_AccessLog:"

    Severity="error"

    Facility="local6")

  5. Place the following inputs below for Apache error log in your rsyslog.conf file.

    input(type="imfile" File="/var/log/httpd/ssl_error_log"

    Tag="Apache_ErrorLog:"

    Severity="info"

    Facility="local6")

  6. Place the following in the rules section in your rsyslog.conf file.

    local6.* @<FortiSIEM collector IP or hostname>:514

  7. Restart rsyslog by running the following command.

    systemctl restart rsyslog

  8. Confirm that logs are arriving. Ensure that your firewall(s) allow UDP 514 inbound to target IP.

Example Log

<179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

HTTPS

To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.

  1. Log in to your web server as an administrator.
  2. Open the configuration file /etc/Httpd.conf.
  3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
    Without Authentication
       LoadModule status_module modules/mod_status.so
       ...
       ExtendedStatus on
       ...
       #Configuration without authentication
       <Location /server-status>       SetHandler server-status
           Order Deny,Allow
           Deny from all
           Allow from .foo.com
       </Location>
    

    With Authentication
       LoadModule status_module modules/mod_status.so
       ...
       ExtendedStatus on
       ...
       #Configuration with authentication
       <Location /server-status>      SetHandler server-status
          Order deny,allow
          Deny from all
          Allow from all
          AuthType Basic
          AuthUserFile /etc/httpd/account/users
          AuthGroupFile /etc/httpd/account/groups
          AuthName "Admin"      Require group admin
          Satisfy all
      </Location>
  4. If you are using authentication, you will have to add user authentication credentials.
    1. Go to /etc/httpd, and if necessary, create an account directory.
    2. In the account directory, create two files, users and groups.
    3. In the groups file, enter admin:admin.
    4. Create a password for the admin user.

      htpasswd --c users admin
  5. Reload Apache.
    /etc/init.d/httpd reload

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Syslog via Snare Logging Agent

Install and configure Epilog application to send syslog to FortiSIEM

  1. Download Epilog from snare, information to download here, and install it on your Windows Server.
  2. For Windows, launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows
  3. For Linux, enter http://<yourApacheServerIp>:6162
  4. Configure Epilog application as follows
    1. Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
      • /etc/httpd/logs/access_log
      • /etc/httpd/logs/ssl_access_log
    2. Go to Network Configuration
      1. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
      2. Set 514 in Destination Port text area
      3. Click Change Configuration to save the configuration
    3. Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time.

Define the Apache Log Format

You must define the format of the logs that Apache will send to FortiSIEM.

  1. Open the file /etc/httpd/conf.d/ssl.conf for editing.
  2. Add this line to the file.
    CustomLog logs/ssl_request_log combined
    
  3. Uncomment this line in the file.
    #CustomLog logs/access_log common
    
  4. Add this line to the file.
    CustomLog logs/access_log combined
    
  5. Reload Apache.
    /etc/init.d/httpd reload

Apache Syslog Log Format

<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog   192.168.20.35 - - [17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"<134>Mar  4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Settings for Apache Web Server HTTPS Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.

Setting Value
Name Apache-https
Device Type generic
Access Protocol HTTP or HTTPS
Port 80 (HTTP) or 443 (HTTPS)
URL server-status?auto
User Name The admin account you created when configuring HTTPS
Password The password associated with the admin account