Panther supports ingesting Apache logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Apache logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Apache," then click its tile.
In the Transport Mechanism drop-down, select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
schema: Apache.AccessCombined
parser:
fastmatch:
match:
- '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size} "%{referer}" "%{user_agent}"'
emptyValues:
- '-'
trimSpace: true
description: Apache HTTP server access logs using the 'combined' format
referenceURL: https://httpd.apache.org/docs/current/logs.html#combined
fields:
- name: remote_host_ip_address
description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
type: string
indicators:
- hostname
- name: client_identity_rfc_1413
description: The RFC 1413 identity of the client determined by identd on the clients machine.
type: string
- name: request_user
description: The userid of the person requesting the document as determined by HTTP authentication.
type: string
indicators:
- username
- name: request_time
description: The time that the request was received.
type: timestamp
timeFormats:
- '%d/%b/%Y:%H:%M:%S %z'
isEventTime: true
- name: request_method
description: The HTTP request method
type: string
- name: request_uri
description: The HTTP request URI
type: string
- name: request_protocol
description: The HTTP request protocol
type: string
- name: response_status
description: The HTTP status of the response
type: smallint
- name: response_size
description: The size of the HTTP response in bytes
type: bigint
- name: user_agent
description: The User-Agent HTTP header
type: string
- name: referer
description: The Referer HTTP header
type: string
Apache.AccessCommon
Apache HTTP server access logs using the common format.
schema: Apache.AccessCommon
parser:
fastmatch:
match:
- '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size}'
emptyValues:
- '-'
trimSpace: true
description: Apache HTTP server access logs using the 'common' format
referenceURL: https://httpd.apache.org/docs/current/logs.html#common
fields:
- name: remote_host_ip_address
description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
type: string
indicators:
- hostname
- name: client_identity_rfc_1413
description: The RFC 1413 identity of the client determined by identd on the clients machine.
type: string
- name: request_user
description: The userid of the person requesting the document as determined by HTTP authentication.
type: string
indicators:
- username
- name: request_time
description: The time that the request was received.
type: timestamp
timeFormats:
- '%d/%b/%Y:%H:%M:%S %z'
isEventTime: true
- name: request_method
description: The HTTP request method
type: string
- name: request_uri
description: The HTTP request URI
type: string
- name: request_protocol
description: The HTTP request protocol
type: string
- name: response_status
description: The HTTP status of the response
type: smallint
- name: response_size
description: The size of the HTTP response in bytes
type: bigint
