Document toolboxDocument toolbox

web.apache

Introduction

The tags beginning with web.apache identify events generated by the Apache HTTP Server Project belonging to The Apache Software Foundation.

Valid tags and data tables

The full tag must have 6 levels. The first two are fixed as web.apache. The third level identifies the type of events sent and the rest of them indicate the event subtypes.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product/Service

Tag

Data table

Product/Service

Tag

Data table

Apache HTTP Server Project

web.apache.access-clf.pro.turrican.www1

web.apache.accessClf

web.apache.access-combined.pro.webFoobar.www1

web.apache.accessCombined

web.apache.access-combined.pro.foobar.www1

web.apache.access-combined.prod.mgr1.webfiltering

web.apache.access-lt.pro.www-logtrust-ssl.www1

web.apache.accessLt

web.apache.access-lt-xff.pro.app-logtrust.8B97E

web.apache.accessLtXff

web.apache.access-vhc.pro.turrican.www1

web.apache.accessVhc

web.apache.error.pro.analytics.www1

web.apache.error

web.apache.mod-jk.pro.app-logtrust.5E2F0

web.apache.modJk

web.apache.mod-security.pro.www-logtrust-ssl.www1

web.apache.modSecurity

Devo also supports the events generated by the ModSecurity web application firewall.

For more information, read more about Devo tags.

Devo supports five formats for access log events; three of the standard formats (clf, combined, and vhc) and two custom formats defined by Devo (lt and ltXff). These correspond to the third level of the tag.

The format for log events is determined by the LogFormat directive. See below the expressions for each of the supported formats:

  • CLF:
    access-clf for the Common Log Format (CLF) format. The directive to define this (default) format is:

    LogFormat "%h %l %u %t \"%r\" %>s %O" common
  • Combined:
    access-combined for the NCSA extended/combined Log Format format. The directive to define this format is: 

    LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
  • Devo Access:
    access-lt for the Devo-defined format that adds more details to the standard formats listed above. The directive to define this format is:

    LogFormat "%{%F:%T%z}t %a %l %u %v:%p \"%r\" \"%U\" \"%{Referer}i\" \"%{User-Agent}i\" \"%{c1}C:%{c2}C\" %>s %X %I %D %B %O" access-lt

    Where "%{c1}C:%{c2}C:...:$cN}C" is the name of the cookies you want to be reflected in the log. If you don't want to save any cookie just leave the field empty ("")

  • Devo Access X-Forwarded-For:
    access-lt-xff, same as access-lt format, but oriented to web servers that are behind a balancer or reverse proxy and where the client source IP is from the X-Forwarded-For header. The directive to define this format is:

  • Virtual Host Combined:
    access-vhc for the NCSA extended/combined log format with virtual host format. The directive to define this format is:

Table structure

These are the fields displayed in these tables:

How is the data sent to Devo?

Sending to Devo using rsyslog

We recommend using a rsyslog configuration file to monitor and forward the Apache error and access logs. For guidance, see the articles about file monitoring and sending using rsyslog.

To located your Apache log files, look for the ErrorLog and CustomLog directives in your Apache log configuration file

Sending to Devo using logger

The ErrorLog and CustomLog directives can also write events to an external process like a logger. This is how you would express these directives to write events to the logger

Forwarding to local syslog:

A note about syslog sending

Although Apache is able to send error logs using syslog, we don't recommend using this method. Since syslog sending is not available for the access logs, the installation would require the use of a different sending method thus creating added complexity.  Unselect the “sent without syslog tag” when setting up logs to ingest into parsers.

To know more about this topic, visit Sending data to Devo.

Configure the audit log file

Check the main ModSecurity configuration file to make sure that the audit file is being generated. The configuration directives that begin with SecAudit will dictate if the file is to be generated, in what format and in which directory. Below is a sample excerpt that shows some of these directives.

ModSecurity audit log configuration:

Here you can find additional information on the audit log configuration options. 

Monitor the audit log using rsyslog

The following sample rsyslog configuration file monitors the audit log file and forwards events to a Devo endpoint. 

/etc/rsyslog.d/45-modsecurity.conf file:

  • Sending to a Devo Relay: Replace DEVO-RELAY and PORT with the IP address and the port of your Devo In-house Relay. 

  • Sending to the Devo Cloud: Uncomment the SSL config section and be sure the security certificate files are correctly referenced.  Replace DEVO-RELAY and PORT with the hostname of your Devo domain and port 443.

To know more about this topic, visit Simple sending using rsyslog and Secure sending using rsyslog.