Apache Web Server
Support Added: FortiSIEM 4.8.1
Last Modification: FortiSIEM 6.4.0
Vendor Version Tested: Not Provided
Vendor: The Apache Software Foundation and the Apache HTTP Server Project
Product: Web Server
Product Information: https://httpd.apache.org/
- What is Discovered and Monitored
- Event Types
- Reports
- Configuration
- Define the Apache Log Format
- Apache Syslog Log Format
- Settings for Access Credentials
What is Discovered and Monitored
Protocol |
Information discovered |
Metrics collected |
Used for |
---|---|---|---|
SNMP |
Application type |
Process level metrics: CPU utilization, Memory utilization |
Performance Monitoring |
HTTP(S) via the mod-status module |
Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers |
Performance Monitoring |
|
Syslog |
Application type |
W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration |
Security Monitoring and compliance |
Event Types
In ADMIN > Device Support > Event Types, search for "apache" to see the event types associated with this device.
Reports
In RESOURCES > Reports, search for "apache" in the main content panel Search... field to see the reports associated with this device.
Configuration
The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:
/etc
/etc/httpd
/usr/local
Adjust your configuration according to your installed Apache directory.
Syslog via Rsyslog
To use rsyslog to collect and send Apache logs via syslog, take the following steps:
Notes:
-
Rsyslog
Tag=
is case sensitive, so ensure it is entered properly. -
For steps 4 and 5, change the path as required to direct it to your ssl_access.log and ssl_error.log files.
-
For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.
-
Locate where your Apache installation is writing log files, such as error or access logs. Here is a typical location:
/var/log/httpd/ssl_access_log
/var/log/httpd/ssl_error_log
-
Locate
rsyslog.conf
. Here is a typical location:/etc/rsyslog.conf
-
Add
imfile
module to yourrsyslog.conf
file in the modules section.module(load="imfile" PollingInterval="10")
-
Place the following inputs below the modules section for Apache access log in your
rsyslog.conf
file.input(type="imfile" File="/var/log/httpd/ssl_access_log"
Tag="Apache_AccessLog:"
Severity="error"
Facility="local6")
-
Place the following inputs below for Apache error log in your
rsyslog.conf
file.input(type="imfile" File="/var/log/httpd/ssl_error_log"
Tag="Apache_ErrorLog:"
Severity="info"
Facility="local6")
-
Place the following in the rules section in your
rsyslog.conf
file.local6.* @<FortiSIEM collector IP or hostname>:514
-
Restart rsyslog by running the following command.
systemctl restart rsyslog
-
Confirm that logs are arriving. Ensure that your firewall(s) allow UDP 514 inbound to target IP.
Example Log
<179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
HTTPS
To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.
- Log in to your web server as an administrator.
- Open the configuration file
/etc/Httpd.conf
. -
Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
Without AuthenticationLoadModule status_module modules/mod_status.so ... ExtendedStatus on ... #Configuration without authentication <Location /server-status> SetHandler server-status Order Deny,Allow Deny from all Allow from .foo.com </Location>
LoadModule status_module modules/mod_status.so ... ExtendedStatus on ... #Configuration with authentication <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from all AuthType Basic AuthUserFile /etc/httpd/account/users AuthGroupFile /etc/httpd/account/groups AuthName "Admin" Require group admin Satisfy all </Location>
- If you are using authentication, you will have to add user authentication credentials.
- Go to
/etc/httpd
, and if necessary, create anaccount
directory. - In the
account
directory, create two files,users
andgroups
. - In the
groups
file, enteradmin:admin
. Create a password for the admin user.
htpasswd --c users admin
- Go to
-
Reload Apache.
/etc/init.d/httpd reload
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog via Snare Logging Agent
Install and configure Epilog application to send syslog to FortiSIEM
- Download Epilog from snare, information to download here, and install it on your Windows Server.
- For Windows, launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows
- For Linux, enter
http://<yourApacheServerIp>:6162
- Configure Epilog application as follows
- Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
/etc/httpd/logs/access_log
/etc/httpd/logs/ssl_access_log
- Go to Network Configuration
- Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
- Set 514 in Destination Port text area
- Click Change Configuration to save the configuration
- Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time.
- Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
Define the Apache Log Format
You must define the format of the logs that Apache will send to FortiSIEM.
- Open the file
/etc/httpd/conf.d/ssl.conf
for editing. - Add the following line to the file.
CustomLog logs/ssl_request_log combined
-
Uncomment the following line in the file.
#CustomLog logs/access_log common
-
Add the following line to the file.
CustomLog logs/access_log combined
-
Reload Apache.
/etc/init.d/httpd reload
Apache Syslog Log Format
<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.example.net ApacheLog 192.168.20.35 - - [17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"<134>Mar 4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting | Value |
---|---|
Name | <set name> |
Device Type | Generic |
Access Protocol | SNMP |
Community String | <your own> |
Settings for Apache Web Server HTTPS Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.
Setting | Value |
---|---|
Name | Apache-https |
Device Type | generic |
Access Protocol | HTTP or HTTPS |
Port | 80 (HTTP) or 443 (HTTPS) |
URL | server-status?auto |
User Name | The admin account you created when configuring HTTPS |
Password | The password associated with the admin account |