Apache¶
About¶
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
Product Details¶
Vendor URL: Apache HTTP Server - The Apache Software Foundation
Product Type: Web Server
Product Tier: Tier III
Integration Method: Syslog
Integration URL: The rocket-fast Syslog Server - rsyslog
Log Guide: Log Files - Apache HTTP Server
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 75%
Data Label: APACHE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| line | additional.fields |
| id | additional.fields |
| Unique ID | additional.fields |
| TLS Version | additional.fields |
| TLS Details | additional.fields |
| environment | additional.fields |
| Matched Data | additional.fields |
| VER | additional.fields |
| file | target.file.full_path |
| dst | target.ip |
| event_type | metadata.event_type |
| hostname | target.hostname |
| src | principal.hostname |
| src | principal.ip |
| pid | principal.process.pid |
| response_code | network.http.response_code |
| method | network.http.method |
| referral_url | target.url |
| user_agent | network.http.user_agent |
| suser | principal.user.userid |
| dst_port | target.port |
| src_port | principal.port |
| observer | observer.hostname |
| observer | observer.ip |
| response_code description | metadata.description |
| summary | metadata.description |
| ALLOW/BLOCK | security_result.action |
| vendor | metadata.vendor_name |
| product | metadata.product_name |
| version | metadata.product_version |
| rulename | security_result.rule_name |
| LOW/MEDIUM/HIGH/CRITICAL | security_result.severity |
| msg | metadata.product_event_type |
| tag1-tag10 | security_result.category_details |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| apache_error | STATUS_UNCATEGORIZED | ||
| HTTP | NETWORK_HTTP | ||
| HTTPS | NETWORK_HTTP | ||
| FTP | NETWORK_FTP |
Log Sample¶
2021-12-07 05:52:57 apache_server INFO MessageKey="_uBzk30B2" Message="{"@timestamp":"2021-12-07T05:52:57.189Z","@metadata":{"beat":"filebeat","type":"_doc","version":"7.10.0","_id":"_uBzk30B2"},"environment":["production"],"log":{"file":{"path":"/var/log/apache2/login.access.log"},"offset":228},"message":"[07/Dec/2021:05:52:56 +0000] -@10.10.10.111 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 \"GET /serviceValidate?ticket=ST-20/login/api.domain.com HTTP/1.1\" 200 809 \"Java/1.8.0_202\"","input":{"type":"log"},"fields":{"kafka_topic":"apache-logs","log_type":"access"},"ecs":{"version":"1.6.0"},"host":{"ip":["10.9.9.71","fc80::f816:3cff:fcd9:eff2","10.11.11.66","fc80::f816:3cff:cd09:cd49"],"architecture":"x86_64","os":{"version":"10 (buster)","family":"debian","name":"Debian GNU/Linux","kernel":"4.19.0-11-amd64","codename":"buster","platform":"debian"},"id":"d05eea0d74ba47ad","name":"apache-ext-001","mac":["fa:16:3e:d9:cd:c1","fa:16:3e:09:c0:49"],"hostname":"apache-ext-001","containerized":false,"fqdn":"apache-ext-001.companyname.com"},"agent":{"ephemeral_id":"7f204c75-0f90-4032-afa8","id":"56437723-3b83-4e2e-ab1e","name":"apache-ext-001","type":"filebeat","version":"7.10.0","hostname":"apache-ext-001"},"cloud":{"machine":{"type":"large"},"availability_zone":"host,"provider":"openstack","instance":{"name":"apache-ext-001.companyname.com","id":"i-00001"}}}"
Sample Parsing¶
metadata.event_timestamp = "2021-12-07T05:52:56Z"
metadata.event_type = "NETWORK_HTTP"
metadata.vendor_name = "APACHE"
metadata.product_name = "filebeat"
metadata.product_version = "7.10.0"
metadata.description = "Response Code:200 - OK - Standard response for successful HTTP requests."
metadata.ingested_timestamp = "2021-12-07T05:53:39.166073Z"
additional.TLS Details = "ECDHE-RSA-AES256-GCM-SHA384"
additional.TLS Version = "TLSv1.2"
additional.environment = "production"
principal.hostname = "NULL"
principal.user.userid = "-"
principal.ip = "10.10.10.111"
principal.asset.ip = "10.10.10.111"
target.hostname = "apache-ext-001"
target.ip = "10.9.9.71"
target.ip = "fc80::f816:3cff:fcd9:eff2"
target.ip = "10.11.11.66"
target.ip = "fc80::f816:3cff:cd09:cd49"
target.url = "/serviceValidate?ticket=ST-20/login/api.domain.com
target.asset.hostname = "apache-ext-001"
observer.hostname = "apache_server"
security_result.action = "ALLOW"
network.http.method = "GET"
network.http.user_agent = "Java/1.8.0_202\"
network.http.response_code = 200
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon