Apache Logs

Connecting Apache logs to your Panther Console

Overview

Panther supports ingesting Apache logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Apache logs to Panther

To connect these logs into Panther:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Apache," then click its tile.
In the Transport Mechanism drop-down, select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
- AWS S3 bucket
- AWS SQS
Click Start Setup.
Configure Apache to push logs to the Data Transport source.
- See Apache's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Apache.AccessCombined

Apache HTTP server access logs using the combined format.

For more information, see the Apache documentation on Combined Log Format.

schema: Apache.AccessCombined
parser:
    fastmatch:
        match:
            - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size} "%{referer}" "%{user_agent}"'
        emptyValues:
            - '-'
        trimSpace: true
description: Apache HTTP server access logs using the 'combined' format
referenceURL: https://httpd.apache.org/docs/current/logs.html#combined
fields:
    - name: remote_host_ip_address
      description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
      type: string
      indicators:
        - hostname
    - name: client_identity_rfc_1413
      description: The RFC 1413 identity of the client determined by identd on the clients machine.
      type: string
    - name: request_user
      description: The userid of the person requesting the document as determined by HTTP authentication.
      type: string
      indicators:
        - username
    - name: request_time
      description: The time that the request was received.
      type: timestamp
      timeFormats:
        - '%d/%b/%Y:%H:%M:%S %z'
      isEventTime: true
    - name: request_method
      description: The HTTP request method
      type: string
    - name: request_uri
      description: The HTTP request URI
      type: string
    - name: request_protocol
      description: The HTTP request protocol
      type: string
    - name: response_status
      description: The HTTP status of the response
      type: smallint
    - name: response_size
      description: The size of the HTTP response in bytes
      type: bigint
    - name: user_agent
      description: The User-Agent HTTP header
      type: string
    - name: referer
      description: The Referer HTTP header
      type: string

Apache.AccessCommon

Apache HTTP server access logs using the common format.

For more information, see the Apache documentation on Common Log Format.

schema: Apache.AccessCommon
parser:
    fastmatch:
        match:
            - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size}'
        emptyValues:
            - '-'
        trimSpace: true
description: Apache HTTP server access logs using the 'common' format
referenceURL: https://httpd.apache.org/docs/current/logs.html#common
fields:
    - name: remote_host_ip_address
      description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
      type: string
      indicators:
        - hostname
    - name: client_identity_rfc_1413
      description: The RFC 1413 identity of the client determined by identd on the clients machine.
      type: string
    - name: request_user
      description: The userid of the person requesting the document as determined by HTTP authentication.
      type: string
      indicators:
        - username
    - name: request_time
      description: The time that the request was received.
      type: timestamp
      timeFormats:
        - '%d/%b/%Y:%H:%M:%S %z'
      isEventTime: true
    - name: request_method
      description: The HTTP request method
      type: string
    - name: request_uri
      description: The HTTP request URI
      type: string
    - name: request_protocol
      description: The HTTP request protocol
      type: string
    - name: response_status
      description: The HTTP status of the response
      type: smallint
    - name: response_size
      description: The size of the HTTP response in bytes
      type: bigint

Previous1Password Logs NextAppOmni Logs

Last updated 1 year ago

Was this helpful?