Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Apache Web Server

Apache Web Server

Support Added: FortiSIEM 4.8.1

Last Modification: FortiSIEM 7.2.3

Vendor Version Tested: Not Provided

Vendor: The Apache Software Foundation and the Apache HTTP Server Project

Product: Web Server

Product Information: https://httpd.apache.org/

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Application type

Process level metrics: CPU utilization, Memory utilization

Performance Monitoring

HTTP(S) via the mod-status module

Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers

Performance Monitoring

Syslog

Application type

W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "apache" to see the event types associated with this device.

Reports

In RESOURCES > Reports, search for "apache" in the main content panel Search... field to see the reports associated with this device.

Configuration

The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:

/etc

/etc/httpd

/usr/local

Adjust your configuration according to your installed Apache directory.

Syslog via Rsyslog

To use rsyslog to collect and send Apache logs via syslog, take the following steps:
Notes:

  • Rsyslog Tag= is case sensitive, so ensure it is entered properly.

  • For steps 4 and 5, change the path as required to direct it to your ssl_access.log and ssl_error.log files.

  • For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.

  1. Locate where your Apache installation is writing log files, such as error or access logs. Here is a typical location:

    /var/log/httpd/ssl_access_log

    /var/log/httpd/ssl_error_log

  2. Locate rsyslog.conf. Here is a typical location:

    /etc/rsyslog.conf

  3. Add imfile module to your rsyslog.conf file in the modules section.

    module(load="imfile" PollingInterval="10")

  4. Place the following inputs below the modules section for Apache access log in your rsyslog.conf file.

    input(type="imfile" File="/var/log/httpd/ssl_access_log"

    Tag="Apache_AccessLog:"

    Severity="error"

    Facility="local6")

  5. Place the following inputs below for Apache error log in your rsyslog.conf file.

    input(type="imfile" File="/var/log/httpd/ssl_error_log"

    Tag="Apache_ErrorLog:"

    Severity="info"

    Facility="local6")

  6. Place the following in the rules section in your rsyslog.conf file.

    local6.* @<FortiSIEM collector IP or hostname>:514

  7. Restart rsyslog by running the following command.

    systemctl restart rsyslog

  8. Confirm that logs are arriving. Ensure that your firewall(s) allow UDP 514 inbound to target IP.

Example Log

<179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

HTTPS

To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.

  1. Log in to your web server as an administrator.
  2. Open the configuration file /etc/Httpd.conf.
  3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
    Without Authentication
       LoadModule status_module modules/mod_status.so
       ...
       ExtendedStatus on
       ...
       #Configuration without authentication
       <Location /server-status>       SetHandler server-status
           Order Deny,Allow
           Deny from all
           Allow from .foo.com
       </Location>
    

    With Authentication
       LoadModule status_module modules/mod_status.so
       ...
       ExtendedStatus on
       ...
       #Configuration with authentication
       <Location /server-status>      SetHandler server-status
          Order deny,allow
          Deny from all
          Allow from all
          AuthType Basic
          AuthUserFile /etc/httpd/account/users
          AuthGroupFile /etc/httpd/account/groups
          AuthName "Admin"      Require group admin
          Satisfy all
      </Location>
  4. If you are using authentication, you will have to add user authentication credentials.
    1. Go to /etc/httpd, and if necessary, create an account directory.
    2. In the account directory, create two files, users and groups.
    3. In the groups file, enter admin:admin.
    4. Create a password for the admin user.

      htpasswd --c users admin
  5. Reload Apache.
    /etc/init.d/httpd reload

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Syslog via FortiSIEM Windows Agent or Linux Agent

For Windows Agent, take the following steps:

  1. Login to FortiSIEM GUI.

  2. Navigate to Admin > Setup, and click the Windows Agent tab.

  3. Under Windows Agent Monitor Templates, click New to create a new template, or click an existing template and click Edit.

  4. If creating a new template, on the Generic tab, in the Name field, enter a name for the template.

  5. Click the User Log tab, and click New.

    1. In the Full File Name field, enter the full file name (including path) to be monitored.

    2. In the Log Prefix field, enter a log prefix that needs to be added to the log.

    3. Click Save.

  6. Click Save.

  7. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

  8. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

  9. From the Host drop-down list, select the host(s).

  10. At Template, attach the template to one or more server hosts by selecting its checkbox, then click Save.

  11. Under Host to Template Associations, click Apply.

    The logs will have a prefix set by Log Prefix that can be used to write a Parser for these files.

    For details, see Configuring Windows Agent.

For Linux Agent, take the following steps:

  1. Login to FortiSIEM GUI.

  2. Navigate to Admin > Setup, and click the Linux Agent tab.

  3. Under Linux Agent Monitor Templates, click New to create a new template, or click an existing template and click Edit.

  4. If creating a new template, on the Generic tab, in the Name field, enter a name for the template.

  5. Click the Log File tab, and click New.

    1. In the Full File Name field, enter the full file name (including path) to be monitored.

    2. In the Log Prefix field, enter a log prefix that needs to be added to the log.

    3. Click Save.

  6. Click Save.

  7. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

  8. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

  9. From the Host drop-down list, select the host(s).

  10. At Template, attach the template to one or more server hosts by selecting its checkbox, then click Save.

  11. Under Host to Template Associations, click Apply.

    The logs will have a prefix set by Log Prefix that can be used to write a Parser for these files.

    For details, see Configuring Linux Agent.


Define the Apache Log Format

You must define the format of the logs that Apache will send to FortiSIEM.

  1. Open the file /etc/httpd/conf.d/ssl.conf for editing.
  2. Add the following line to the file.
    CustomLog logs/ssl_request_log combined
    
  3. Uncomment the following line in the file.
    #CustomLog logs/access_log common
    
  4. Add the following line to the file.
    CustomLog logs/access_log combined
    
  5. Reload Apache.
    /etc/init.d/httpd reload

Apache Syslog Log Format

2024-10-28T22:55:22Z USER-WIN2016.getest.com 192.0.20.0 AccelOps-WUA-UserFile-apach_log [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="4a2804f4-e1b6-4e01-ac76-de5aa103d253" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [fileName]="C:\\Apache24\\logs\\access.log" [msg]="::1 - - [28/Oct/2024:15:55:16 -0700] \"GET / HTTP/1.1\" 304 -"

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Settings for Apache Web Server HTTPS Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.

Setting Value
Name Apache-https
Device Type generic
Access Protocol HTTP or HTTPS
Port 80 (HTTP) or 443 (HTTPS)
URL server-status?auto
User Name The admin account you created when configuring HTTPS
Password The password associated with the admin account

Apache Web Server

Apache Web Server

Support Added: FortiSIEM 4.8.1

Last Modification: FortiSIEM 7.2.3

Vendor Version Tested: Not Provided

Vendor: The Apache Software Foundation and the Apache HTTP Server Project

Product: Web Server

Product Information: https://httpd.apache.org/

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Application type

Process level metrics: CPU utilization, Memory utilization

Performance Monitoring

HTTP(S) via the mod-status module

Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers

Performance Monitoring

Syslog

Application type

W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "apache" to see the event types associated with this device.

Reports

In RESOURCES > Reports, search for "apache" in the main content panel Search... field to see the reports associated with this device.

Configuration

The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:

/etc

/etc/httpd

/usr/local

Adjust your configuration according to your installed Apache directory.

Syslog via Rsyslog

To use rsyslog to collect and send Apache logs via syslog, take the following steps:
Notes:

  • Rsyslog Tag= is case sensitive, so ensure it is entered properly.

  • For steps 4 and 5, change the path as required to direct it to your ssl_access.log and ssl_error.log files.

  • For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.

  1. Locate where your Apache installation is writing log files, such as error or access logs. Here is a typical location:

    /var/log/httpd/ssl_access_log

    /var/log/httpd/ssl_error_log

  2. Locate rsyslog.conf. Here is a typical location:

    /etc/rsyslog.conf

  3. Add imfile module to your rsyslog.conf file in the modules section.

    module(load="imfile" PollingInterval="10")

  4. Place the following inputs below the modules section for Apache access log in your rsyslog.conf file.

    input(type="imfile" File="/var/log/httpd/ssl_access_log"

    Tag="Apache_AccessLog:"

    Severity="error"

    Facility="local6")

  5. Place the following inputs below for Apache error log in your rsyslog.conf file.

    input(type="imfile" File="/var/log/httpd/ssl_error_log"

    Tag="Apache_ErrorLog:"

    Severity="info"

    Facility="local6")

  6. Place the following in the rules section in your rsyslog.conf file.

    local6.* @<FortiSIEM collector IP or hostname>:514

  7. Restart rsyslog by running the following command.

    systemctl restart rsyslog

  8. Confirm that logs are arriving. Ensure that your firewall(s) allow UDP 514 inbound to target IP.

Example Log

<179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

HTTPS

To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.

  1. Log in to your web server as an administrator.
  2. Open the configuration file /etc/Httpd.conf.
  3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
    Without Authentication
       LoadModule status_module modules/mod_status.so
       ...
       ExtendedStatus on
       ...
       #Configuration without authentication
       <Location /server-status>       SetHandler server-status
           Order Deny,Allow
           Deny from all
           Allow from .foo.com
       </Location>
    

    With Authentication
       LoadModule status_module modules/mod_status.so
       ...
       ExtendedStatus on
       ...
       #Configuration with authentication
       <Location /server-status>      SetHandler server-status
          Order deny,allow
          Deny from all
          Allow from all
          AuthType Basic
          AuthUserFile /etc/httpd/account/users
          AuthGroupFile /etc/httpd/account/groups
          AuthName "Admin"      Require group admin
          Satisfy all
      </Location>
  4. If you are using authentication, you will have to add user authentication credentials.
    1. Go to /etc/httpd, and if necessary, create an account directory.
    2. In the account directory, create two files, users and groups.
    3. In the groups file, enter admin:admin.
    4. Create a password for the admin user.

      htpasswd --c users admin
  5. Reload Apache.
    /etc/init.d/httpd reload

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Syslog via FortiSIEM Windows Agent or Linux Agent

For Windows Agent, take the following steps:

  1. Login to FortiSIEM GUI.

  2. Navigate to Admin > Setup, and click the Windows Agent tab.

  3. Under Windows Agent Monitor Templates, click New to create a new template, or click an existing template and click Edit.

  4. If creating a new template, on the Generic tab, in the Name field, enter a name for the template.

  5. Click the User Log tab, and click New.

    1. In the Full File Name field, enter the full file name (including path) to be monitored.

    2. In the Log Prefix field, enter a log prefix that needs to be added to the log.

    3. Click Save.

  6. Click Save.

  7. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

  8. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

  9. From the Host drop-down list, select the host(s).

  10. At Template, attach the template to one or more server hosts by selecting its checkbox, then click Save.

  11. Under Host to Template Associations, click Apply.

    The logs will have a prefix set by Log Prefix that can be used to write a Parser for these files.

    For details, see Configuring Windows Agent.

For Linux Agent, take the following steps:

  1. Login to FortiSIEM GUI.

  2. Navigate to Admin > Setup, and click the Linux Agent tab.

  3. Under Linux Agent Monitor Templates, click New to create a new template, or click an existing template and click Edit.

  4. If creating a new template, on the Generic tab, in the Name field, enter a name for the template.

  5. Click the Log File tab, and click New.

    1. In the Full File Name field, enter the full file name (including path) to be monitored.

    2. In the Log Prefix field, enter a log prefix that needs to be added to the log.

    3. Click Save.

  6. Click Save.

  7. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

  8. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

  9. From the Host drop-down list, select the host(s).

  10. At Template, attach the template to one or more server hosts by selecting its checkbox, then click Save.

  11. Under Host to Template Associations, click Apply.

    The logs will have a prefix set by Log Prefix that can be used to write a Parser for these files.

    For details, see Configuring Linux Agent.


Define the Apache Log Format

You must define the format of the logs that Apache will send to FortiSIEM.

  1. Open the file /etc/httpd/conf.d/ssl.conf for editing.
  2. Add the following line to the file.
    CustomLog logs/ssl_request_log combined
    
  3. Uncomment the following line in the file.
    #CustomLog logs/access_log common
    
  4. Add the following line to the file.
    CustomLog logs/access_log combined
    
  5. Reload Apache.
    /etc/init.d/httpd reload

Apache Syslog Log Format

2024-10-28T22:55:22Z USER-WIN2016.getest.com 192.0.20.0 AccelOps-WUA-UserFile-apach_log [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="4a2804f4-e1b6-4e01-ac76-de5aa103d253" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [fileName]="C:\\Apache24\\logs\\access.log" [msg]="::1 - - [28/Oct/2024:15:55:16 -0700] \"GET / HTTP/1.1\" 304 -"

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Settings for Apache Web Server HTTPS Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.

Setting Value
Name Apache-https
Device Type generic
Access Protocol HTTP or HTTPS
Port 80 (HTTP) or 443 (HTTPS)
URL server-status?auto
User Name The admin account you created when configuring HTTPS
Password The password associated with the admin account