Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.7.4 External Systems Configuration Guide
    6.7.4
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Apache Web Server

    Apache Web Server

    Support Added: FortiSIEM 4.8.1

    Last Modification: FortiSIEM 6.4.0

    Vendor Version Tested: Not Provided

    Vendor: The Apache Software Foundation and the Apache HTTP Server Project

    Product: Web Server

    Product Information: https://httpd.apache.org/

    What is Discovered and Monitored

    Protocol

    Information discovered

    Metrics collected

    Used for

    SNMP

    Application type

    Process level metrics: CPU utilization, Memory utilization

    Performance Monitoring

    HTTP(S) via the mod-status module

    Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers

    Performance Monitoring

    Syslog

    Application type

    W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

    Security Monitoring and compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "apache" to see the event types associated with this device.

    Reports

    In RESOURCES > Reports, search for "apache" in the main content panel Search... field to see the reports associated with this device.

    Configuration

    The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:

    /etc

    /etc/httpd

    /usr/local

    Adjust your configuration according to your installed Apache directory.

    Syslog via Rsyslog

    To use rsyslog to collect and send Apache logs via syslog, take the following steps:
    Notes:

    • Rsyslog Tag= is case sensitive, so ensure it is entered properly.

    • For steps 4 and 5, change the path as required to direct it to your ssl_access.log and ssl_error.log files.

    • For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.

    1. Locate where your Apache installation is writing log files, such as error or access logs. Here is a typical location:

      /var/log/httpd/ssl_access_log

      /var/log/httpd/ssl_error_log

    2. Locate rsyslog.conf. Here is a typical location:

      /etc/rsyslog.conf

    3. Add imfile module to your rsyslog.conf file in the modules section.

      module(load="imfile" PollingInterval="10")

    4. Place the following inputs below the modules section for Apache access log in your rsyslog.conf file.

      input(type="imfile" File="/var/log/httpd/ssl_access_log"

      Tag="Apache_AccessLog:"

      Severity="error"

      Facility="local6")

    5. Place the following inputs below for Apache error log in your rsyslog.conf file.

      input(type="imfile" File="/var/log/httpd/ssl_error_log"

      Tag="Apache_ErrorLog:"

      Severity="info"

      Facility="local6")

    6. Place the following in the rules section in your rsyslog.conf file.

      local6.* @<FortiSIEM collector IP or hostname>:514

    7. Restart rsyslog by running the following command.

      systemctl restart rsyslog

    8. Confirm that logs are arriving. Ensure that your firewall(s) allow UDP 514 inbound to target IP.

    Example Log 

    <179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
    SNMP

    FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

    HTTPS

    To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.

    1. Log in to your web server as an administrator.
    2. Open the configuration file /etc/Httpd.conf.
    3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
      Without Authentication
         LoadModule status_module modules/mod_status.so
   ...
   ExtendedStatus on
   ...
   #Configuration without authentication
   <Location /server-status>       SetHandler server-status
       Order Deny,Allow
       Deny from all
       Allow from .foo.com
   </Location>

      With Authentication
         LoadModule status_module modules/mod_status.so
   ...
   ExtendedStatus on
   ...
   #Configuration with authentication
   <Location /server-status>      SetHandler server-status
      Order deny,allow
      Deny from all
      Allow from all
      AuthType Basic
      AuthUserFile /etc/httpd/account/users
      AuthGroupFile /etc/httpd/account/groups
      AuthName "Admin"      Require group admin
      Satisfy all
  </Location>
    4. If you are using authentication, you will have to add user authentication credentials.
      1. Go to /etc/httpd, and if necessary, create an account directory.
      2. In the account directory, create two files, users and groups.
      3. In the groups file, enter admin:admin.

      4. Create a password for the admin user.

        htpasswd --c users admin
    5. Reload Apache.
      /etc/init.d/httpd reload

    You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

    Syslog via Snare Logging Agent

    Install and configure Epilog application to send syslog to FortiSIEM

    1. Download Epilog from snare, information to download here, and install it on your Windows Server.
    2. For Windows, launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows
    3. For Linux, enter http://<yourApacheServerIp>:6162
    4. Configure Epilog application as follows
      1. Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
        • /etc/httpd/logs/access_log
        • /etc/httpd/logs/ssl_access_log
      2. Go to Network Configuration
        1. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
        2. Set 514 in Destination Port text area
        3. Click Change Configuration to save the configuration
      3. Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time.

    Define the Apache Log Format

    You must define the format of the logs that Apache will send to FortiSIEM.

    1. Open the file /etc/httpd/conf.d/ssl.conf for editing.
    2. Add this line to the file. 
      CustomLog logs/ssl_request_log combined
    3. Uncomment this line in the file. 
      #CustomLog logs/access_log common
    4. Add this line to the file. 
      CustomLog logs/access_log combined
    5. Reload Apache. 
      /etc/init.d/httpd reload

    Apache Syslog Log Format

    <142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.example.net ApacheLog   192.168.20.35 - - [17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"<134>Mar  4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"

    Settings for Access Credentials

    SNMP Access Credentials for All Devices

    Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

    Setting Value
    Name <set name>
    Device Type Generic
    Access Protocol SNMP
    Community String <your own>
    Settings for Apache Web Server HTTPS Access Credentials

    Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.

    Setting Value
    Name Apache-https
    Device Type generic
    Access Protocol HTTP or HTTPS
    Port 80 (HTTP) or 443 (HTTPS)
    URL server-status?auto
    User Name The admin account you created when configuring HTTPS
    Password The password associated with the admin account
    Previous
    Next

    Apache Web Server

    Apache Web Server

    Support Added: FortiSIEM 4.8.1

    Last Modification: FortiSIEM 6.4.0

    Vendor Version Tested: Not Provided

    Vendor: The Apache Software Foundation and the Apache HTTP Server Project

    Product: Web Server

    Product Information: https://httpd.apache.org/

    What is Discovered and Monitored

    Protocol

    Information discovered

    Metrics collected

    Used for

    SNMP

    Application type

    Process level metrics: CPU utilization, Memory utilization

    Performance Monitoring

    HTTP(S) via the mod-status module

    Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers

    Performance Monitoring

    Syslog

    Application type

    W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

    Security Monitoring and compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "apache" to see the event types associated with this device.

    Reports

    In RESOURCES > Reports, search for "apache" in the main content panel Search... field to see the reports associated with this device.

    Configuration

    The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:

    /etc

    /etc/httpd

    /usr/local

    Adjust your configuration according to your installed Apache directory.

    Syslog via Rsyslog

    To use rsyslog to collect and send Apache logs via syslog, take the following steps:
    Notes:

    • Rsyslog Tag= is case sensitive, so ensure it is entered properly.

    • For steps 4 and 5, change the path as required to direct it to your ssl_access.log and ssl_error.log files.

    • For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.

    1. Locate where your Apache installation is writing log files, such as error or access logs. Here is a typical location:

      /var/log/httpd/ssl_access_log

      /var/log/httpd/ssl_error_log

    2. Locate rsyslog.conf. Here is a typical location:

      /etc/rsyslog.conf

    3. Add imfile module to your rsyslog.conf file in the modules section.

      module(load="imfile" PollingInterval="10")

    4. Place the following inputs below the modules section for Apache access log in your rsyslog.conf file.

      input(type="imfile" File="/var/log/httpd/ssl_access_log"

      Tag="Apache_AccessLog:"

      Severity="error"

      Facility="local6")

    5. Place the following inputs below for Apache error log in your rsyslog.conf file.

      input(type="imfile" File="/var/log/httpd/ssl_error_log"

      Tag="Apache_ErrorLog:"

      Severity="info"

      Facility="local6")

    6. Place the following in the rules section in your rsyslog.conf file.

      local6.* @<FortiSIEM collector IP or hostname>:514

    7. Restart rsyslog by running the following command.

      systemctl restart rsyslog

    8. Confirm that logs are arriving. Ensure that your firewall(s) allow UDP 514 inbound to target IP.

    Example Log 

    <179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
    SNMP

    FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

    HTTPS

    To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.

    1. Log in to your web server as an administrator.
    2. Open the configuration file /etc/Httpd.conf.
    3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
      Without Authentication
         LoadModule status_module modules/mod_status.so
   ...
   ExtendedStatus on
   ...
   #Configuration without authentication
   <Location /server-status>       SetHandler server-status
       Order Deny,Allow
       Deny from all
       Allow from .foo.com
   </Location>

      With Authentication
         LoadModule status_module modules/mod_status.so
   ...
   ExtendedStatus on
   ...
   #Configuration with authentication
   <Location /server-status>      SetHandler server-status
      Order deny,allow
      Deny from all
      Allow from all
      AuthType Basic
      AuthUserFile /etc/httpd/account/users
      AuthGroupFile /etc/httpd/account/groups
      AuthName "Admin"      Require group admin
      Satisfy all
  </Location>
    4. If you are using authentication, you will have to add user authentication credentials.
      1. Go to /etc/httpd, and if necessary, create an account directory.
      2. In the account directory, create two files, users and groups.
      3. In the groups file, enter admin:admin.

      4. Create a password for the admin user.

        htpasswd --c users admin
    5. Reload Apache.
      /etc/init.d/httpd reload

    You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

    Syslog via Snare Logging Agent

    Install and configure Epilog application to send syslog to FortiSIEM

    1. Download Epilog from snare, information to download here, and install it on your Windows Server.
    2. For Windows, launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows
    3. For Linux, enter http://<yourApacheServerIp>:6162
    4. Configure Epilog application as follows
      1. Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
        • /etc/httpd/logs/access_log
        • /etc/httpd/logs/ssl_access_log
      2. Go to Network Configuration
        1. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
        2. Set 514 in Destination Port text area
        3. Click Change Configuration to save the configuration
      3. Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time.

    Define the Apache Log Format

    You must define the format of the logs that Apache will send to FortiSIEM.

    1. Open the file /etc/httpd/conf.d/ssl.conf for editing.
    2. Add this line to the file. 
      CustomLog logs/ssl_request_log combined
    3. Uncomment this line in the file. 
      #CustomLog logs/access_log common
    4. Add this line to the file. 
      CustomLog logs/access_log combined
    5. Reload Apache. 
      /etc/init.d/httpd reload

    Apache Syslog Log Format

    <142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.example.net ApacheLog   192.168.20.35 - - [17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"<134>Mar  4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"

    Settings for Access Credentials

    SNMP Access Credentials for All Devices

    Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

    Setting Value
    Name <set name>
    Device Type Generic
    Access Protocol SNMP
    Community String <your own>
    Settings for Apache Web Server HTTPS Access Credentials

    Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.

    Setting Value
    Name Apache-https
    Device Type generic
    Access Protocol HTTP or HTTPS
    Port 80 (HTTP) or 443 (HTTPS)
    URL server-status?auto
    User Name The admin account you created when configuring HTTPS
    Password The password associated with the admin account
    Previous
    Next