Skip to main content

Apache Web Server

Modeling Rules for the Apache Web Server logs collector

Apache Web Server

This pack includes Cortex XSIAM content.

Configuration on Server Side

You need to configure Apache Web Server to forward Syslog messages.

Open your Apache Web Server instance, and follow these instructions Documentation:

  1. Log in to your Apache Web Server instance as a root user.
  2. Edit the Apache configuration file httpd.conf.
    • Ensure to keep a backup copy of the file.
    • Edit one configuration file at a time. Save the file after each change and monitor its effect.
    • For further information on Apache Log Files - Documentation
  3. Add the following information in the Apache configuration file to specify a custom path for the syslog events:
    ```bash
    CustomLog "|/usr/bin/logger -t httpd -p ." combined 
   Where:
   * **facility** is a syslog facility, for example- local0.
   * **priority** is a syslog priority, for example- info OR notice.
4. Disable hostname lookup:

bash
HostnameLookups off

5. Save the configuration file.
6. Edit the syslog configuration file:

bash
/etc/syslog.conf

7. Add the following information to your syslog configuration file:

bash
. @:

   Where:
   * **facility** - This value must match the value that you typed in the step 3.
   * **priority** - This value must match the value that you typed in step 3.
   * **TAB** - Indicates you must press the Tab key.
   * **host** - The syslog destination IP address.
   * **port** - The syslog destination Port.
8. Save the syslog configuration file.
9. Restart the syslog service:

bash
/etc/init.d/syslog restart
```

  1. Restart Apache to complete the syslog configuration.
  • Pay attention: Timestamp Parsing is only available for the default %t format: [%d/%b/%Y{Key}%H:%M:%S %z]

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Right-click, and select Syslog Collector > Configure.
  3. When configuring the Syslog Collector, set the following values:
    • vendor as vendor - apache
    • product as product - httpd

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJune 14, 2022
Last ReleaseJuly 23, 2023
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.