IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Collecting Apache Logs by WinCollect File Forwarder

  • 1.  Collecting Apache Logs by WinCollect File Forwarder

    Posted Mon June 07, 2021 10:22 AM

    Hello,

    we have some Apache Web Servers running on a Windows device.

    We need to collect access logs and we chose to collect them by WinCollect File Forwarder protocol (wincollect agent was already installed on the device to collect security and system logs from OS).

    We are getting the logs but they show as "unknown" events; below an example of the raw logs:

    <13>Jun 07 14:55:11 192.168.2.22 AgentDevice=FileForwarder AgentLogFile=E:\xampp\apache\logs\access.log PluginVersion=7.3.0.41 Payload=27.34.24.192 - - [07/Jun/2021:14:55:07 +0545] "POST /kyc/home HTTP/1.1" 200 323494 "https://ekyc.sanimabank.com/kyc/home/filter_options" "Mozilla/5.0 (Linux; Android 10; M2010J19SI) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.210 Mobile Safari/537.36"

    <13>Jun 07 14:55:06 192.168.2.22 AgentDevice=FileForwarder AgentLogFile=E:\xampp\apache\logs\access.log PluginVersion=7.3.0.41 Payload=27.34.24.192 - - [07/Jun/2021:14:55:05 +0545] "GET /kyc/home/filter_options HTTP/1.1" 200 16834 "https://ekyc.sanimabank.com/kyc/home" "Mozilla/5.0 (Linux; Android 10; M2010J19SI) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.210 Mobile Safari/537.36"

    <13>Jun 07 14:54:56 192.168.2.22 AgentDevice=FileForwarder AgentLogFile=E:\xampp\apache\logs\access.log PluginVersion=7.3.0.41 Payload=122.254.84.39 - - [07/Jun/2021:14:54:55 +0545] "GET /kyc/home/validate HTTP/1.1" 200 9189 "https://ekyc.sanimabank.com/kyc/home/validate" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"

    Is there a way we can parse these logs as Apache events and get the correct field values? Has anyone already collected Apache logs from a Windows? Do we need to create a dedicated LSX?

    Thanks in advance,

    Davide



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Collecting Apache Logs by WinCollect File Forwarder

    Posted Mon June 07, 2021 01:40 PM

    Hi Davide, The DSM editor will allow you to set a parsing override on all log sources of the same type. A Log Source extension will allow a parsing override or an enhancement for a specific log source. You can still use the DSM editor to help extract the properties you require to resolve your parsing issue and add them to the Log Source extension.

    https://supportcontent.ibm.com/support/pages/qradar-examples-log-source-extensions



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Collecting Apache Logs by WinCollect File Forwarder

    Posted Wed August 11, 2021 08:07 AM

    Hello Davide,

    please how we can collect Apache logs from windows server using the wincollect ?

    we already have Managed wincollect on this sever that collect OS logs so what this the required info and actions from QRadar & Server to pull Apache files ?

    Regards,

    Thnaks



    #QRadar
    #Support
    #SupportMigration


Related Content