SIEM

Expand all | Collapse all

FortiSIEM - Apache Web Server - Syslog Parser

  • 1.  FortiSIEM - Apache Web Server - Syslog Parser

    Posted Mar 13, 2020 03:04 AM
    Hi,

    I came across with an issue with the current Apache Web Server Integration with FortiSIEM. It uses the 'Snare Agent' to forward the Apache access/error logs via Syslog and there is a parser for snare agent in the FortiSIEM.

    But if you use any other open-source syslog service (ex: rsyslog/ syslog-ng) that parser won't support it.

    What would be the best workaround for this? Creating a custom parser for rsyslog/syslog-ng?

    Cheers,
    Isuru


  • 2.  RE: FortiSIEM - Apache Web Server - Syslog Parser

    GROUP ADMIN
    Posted Mar 13, 2020 07:47 AM
    Hi Isuru,

    Are you able to share any of your Apache logs and how you have apache logging configured?

    I can look at modifying the parser for you.

    Thanks

    Dan


  • 3.  RE: FortiSIEM - Apache Web Server - Syslog Parser

    Posted Mar 17, 2020 08:39 PM
    Hi Dan,

    Sorry for the late response. Please find the logs exported from FortiSIEM herewith. Moreover, I have attached a screenshot of the Rsyslog config file.

    We could see that general Syslog messages are also unable to identify by the SIEM.

    Appreciate your support.

    Cheers,
    Isuru

    Attachment(s)

    zip
    Logs.zip   206K 1 version


  • 4.  RE: FortiSIEM - Apache Web Server - Syslog Parser

    GROUP ADMIN
    Posted Mar 23, 2020 09:23 AM
      |   view attached
    I made a quick change to the parser, it should at least recognize the events.  

    You'll need to disable the existing Apache parser and the InfoBloxAuditParser.

    Clone the Apache parser and use the one I have attached here. Then do a validate, test (use the sample events below), then enable. Make sure you hit the apply button.


    <190>Mar 13 09:20:15 localhost access_log ::1 - - [13/Mar/2020:09:20:15 +0530] "GET /images/blog-1.jpg HTTP/1.1" 200 122314 "http://localhost/contact.html" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
    <190>Mar 13 03:48:02 localhost error_log AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message


    Attachment(s)

    xml
    apache_dan1.xml   6K 1 version