Skip to content

Apache

Apache

About

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.

Product Details

Vendor URL: Apache HTTP Server - The Apache Software Foundation

Product Type: Web Server

Product Tier: Tier III

Integration Method: Syslog

Integration URL: The rocket-fast Syslog Server - rsyslog

Log Guide: Log Files - Apache HTTP Server

Parser Details

Log Format: JSON

Expected Normalization Rate: 75%

Data Label: APACHE

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
line additional.fields
id additional.fields
Unique ID additional.fields
TLS Version additional.fields
TLS Details additional.fields
environment additional.fields
Matched Data additional.fields
VER additional.fields
file target.file.full_path
dst target.ip
event_type metadata.event_type
hostname target.hostname
src principal.hostname
src principal.ip
pid principal.process.pid
response_code network.http.response_code
method network.http.method
referral_url target.url
user_agent network.http.user_agent
suser principal.user.userid
dst_port target.port
src_port principal.port
observer observer.hostname
observer observer.ip
response_code description metadata.description
summary metadata.description
ALLOW/BLOCK security_result.action
vendor metadata.vendor_name
product metadata.product_name
version metadata.product_version
rulename security_result.rule_name
LOW/MEDIUM/HIGH/CRITICAL security_result.severity
msg metadata.product_event_type
tag1-tag10 security_result.category_details

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
apache_error STATUS_UNCATEGORIZED
HTTP NETWORK_HTTP
HTTPS NETWORK_HTTP
FTP NETWORK_FTP

Log Sample

2021-12-07 05:52:57 apache_server INFO MessageKey="_uBzk30B2" Message="{"@timestamp":"2021-12-07T05:52:57.189Z","@metadata":{"beat":"filebeat","type":"_doc","version":"7.10.0","_id":"_uBzk30B2"},"environment":["production"],"log":{"file":{"path":"/var/log/apache2/login.access.log"},"offset":228},"message":"[07/Dec/2021:05:52:56 +0000] -@10.10.10.111 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 \"GET /serviceValidate?ticket=ST-20/login/api.domain.com HTTP/1.1\" 200 809 \"Java/1.8.0_202\"","input":{"type":"log"},"fields":{"kafka_topic":"apache-logs","log_type":"access"},"ecs":{"version":"1.6.0"},"host":{"ip":["10.9.9.71","fc80::f816:3cff:fcd9:eff2","10.11.11.66","fc80::f816:3cff:cd09:cd49"],"architecture":"x86_64","os":{"version":"10 (buster)","family":"debian","name":"Debian GNU/Linux","kernel":"4.19.0-11-amd64","codename":"buster","platform":"debian"},"id":"d05eea0d74ba47ad","name":"apache-ext-001","mac":["fa:16:3e:d9:cd:c1","fa:16:3e:09:c0:49"],"hostname":"apache-ext-001","containerized":false,"fqdn":"apache-ext-001.companyname.com"},"agent":{"ephemeral_id":"7f204c75-0f90-4032-afa8","id":"56437723-3b83-4e2e-ab1e","name":"apache-ext-001","type":"filebeat","version":"7.10.0","hostname":"apache-ext-001"},"cloud":{"machine":{"type":"large"},"availability_zone":"host,"provider":"openstack","instance":{"name":"apache-ext-001.companyname.com","id":"i-00001"}}}"

Sample Parsing

metadata.event_timestamp = "2021-12-07T05:52:56Z"
metadata.event_type = "NETWORK_HTTP"
metadata.vendor_name = "APACHE"
metadata.product_name = "filebeat"
metadata.product_version = "7.10.0"
metadata.description = "Response Code:200 - OK - Standard response for successful HTTP requests."
metadata.ingested_timestamp = "2021-12-07T05:53:39.166073Z"
additional.TLS Details = "ECDHE-RSA-AES256-GCM-SHA384"
additional.TLS Version = "TLSv1.2"
additional.environment = "production"
principal.hostname = "NULL"
principal.user.userid = "-"
principal.ip = "10.10.10.111"
principal.asset.ip = "10.10.10.111"
target.hostname = "apache-ext-001"
target.ip = "10.9.9.71"
target.ip = "fc80::f816:3cff:fcd9:eff2"
target.ip = "10.11.11.66"
target.ip = "fc80::f816:3cff:cd09:cd49"
target.url = "/serviceValidate?ticket=ST-20/login/api.domain.com
target.asset.hostname = "apache-ext-001"
observer.hostname = "apache_server"
security_result.action = "ALLOW"
network.http.method = "GET"
network.http.user_agent = "Java/1.8.0_202\"
network.http.response_code = 200

Parser Alerting

This product currently does not have any Parser-based Alerting