Panther supports ingesting Apache logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Apache logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Apache," then click its tile.
In the Transport Mechanism drop-down, select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
schema:Apache.AccessCombinedparser:fastmatch:match: - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size} "%{referer}" "%{user_agent}"'
emptyValues: - '-'trimSpace:truedescription:Apache HTTP server access logs using the 'combined' formatreferenceURL:https://httpd.apache.org/docs/current/logs.html#combinedfields: - name:remote_host_ip_address description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
type:stringindicators: - hostname - name:client_identity_rfc_1413description:The RFC 1413 identity of the client determined by identd on the clients machine.type:string - name:request_userdescription:The userid of the person requesting the document as determined by HTTP authentication.type:stringindicators: - username - name:request_timedescription:The time that the request was received.type:timestamptimeFormats: - '%d/%b/%Y:%H:%M:%S %z'isEventTime:true - name:request_methoddescription:The HTTP request methodtype:string - name:request_uridescription:The HTTP request URItype:string - name:request_protocoldescription:The HTTP request protocoltype:string - name:response_statusdescription:The HTTP status of the responsetype:smallint - name:response_sizedescription:The size of the HTTP response in bytestype:bigint - name:user_agentdescription:The User-Agent HTTP headertype:string - name:refererdescription:The Referer HTTP headertype:string
Apache.AccessCommon
Apache HTTP server access logs using the common format.
schema:Apache.AccessCommonparser:fastmatch:match: - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size}'
emptyValues: - '-'trimSpace:truedescription:Apache HTTP server access logs using the 'common' formatreferenceURL:https://httpd.apache.org/docs/current/logs.html#commonfields: - name:remote_host_ip_address description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
type:stringindicators: - hostname - name:client_identity_rfc_1413description:The RFC 1413 identity of the client determined by identd on the clients machine.type:string - name:request_userdescription:The userid of the person requesting the document as determined by HTTP authentication.type:stringindicators: - username - name:request_timedescription:The time that the request was received.type:timestamptimeFormats: - '%d/%b/%Y:%H:%M:%S %z'isEventTime:true - name:request_methoddescription:The HTTP request methodtype:string - name:request_uridescription:The HTTP request URItype:string - name:request_protocoldescription:The HTTP request protocoltype:string - name:response_statusdescription:The HTTP status of the responsetype:smallint - name:response_sizedescription:The size of the HTTP response in bytestype:bigint
