Apache Web Server

Modeling Rule

Apache Web Server

Details

IDApache_Web_Server
From Version6.8.0
To Version6.9.9
TagsApache Web Server

Rules (XIF)

[MODEL: dataset="apache_httpd_raw", model="Audit"] 
filter _raw_log contains "emerg" or  _raw_log contains "alert" or  _raw_log contains "error" or  _raw_log contains "warn" or  _raw_log contains "notice"
or  _raw_log contains "info" or  _raw_log contains "debug" or  _raw_log contains "trace1"
| alter Request_time = arrayindex(regextract(_raw_log , "(\w+\s[^\s]+\s\d+\s\d{2}\:\d{2}\:\d{2}\.\d+\s\d+)") , 0)
| alter log_level= arrayindex(regextract(_raw_log ,"\[\w+\:(\w+)\]") ,0)
| alter Tid= arrayindex(regextract(_raw_log ,"tid\s(\d+)") ,0)
| alter sourceipv4= arrayindex(regextract(_raw_log ,"client\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})") ,0)
| alter sourceipv6 = arrayindex(regextract(_raw_log ,"client\s(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)") ,0)
| alter sourceip = coalesce(sourceipv4 ,sourceipv6)
| alter pid = arrayindex(regextract(_raw_log ,"\[\w+\s(\d+)\:") ,0)
| alter error_status_code=arrayindex(regextract(_raw_log,"\:\d+\]\s+(\S+)\:") ,0)
| alter Source_code_file_line=arrayindex(regextract(_raw_log,"tid\s\d+\]\s([^\:|\[]+)") ,0)
| alter message=arrayindex(regextract(_raw_log,"client\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\S+[^\:]+\:([^\@]+)"),0)
| alter XDM.Audit.threat.severity = log_level
| alter XDM.Audit.identity.uuid=tid 
| alter XDM.Audit.TriggeredBy.ipv4 = sourceip 
| alter XDM.Audit.identity.uuid =pid
| alter XDM.Audit.TriggeredBy.identity.uuid = error_status_code 
| alter XDM.Audit.audited_resource.id = Source_code_file_line
| alter XDM.Audit.event_timestamp = parse_timestamp("%a %b %d %H:%M:%E*S %Y", request_time)
| alter XDM.Audit.threat.description = message;

[MODEL: dataset="apache_httpd_raw", model="Network"]
filter _raw_log contains "GET" or _raw_log contains "HEAD" or _raw_log contains "POST" or _raw_log contains "DELETE" or _raw_log contains "CONNECT" or _raw_log contains "OPTIONS" or _raw_log contains "TRACE" or _raw_log contains "PATCH"
| alter Request_time = arrayindex(regextract(_raw_log , "\[(\d+\/\w+\/\d+\:\d+\:\d+\:\d+\s\S+)\]") , 0) 
| alter Username = arrayindex(regextract(_raw_log,"(\S+)\s\[\d+\/") ,0)
| alter requested_line= arrayindex(regextract(_raw_log ,"\"(\w+\s[^\"]+)\"") ,0)
| alter response_code = arrayindex(regextract(_raw_log ,"\"\s(\d+)\s\d+") ,0)
| alter User_agent = arrayindex(regextract(_raw_log ,"\"\s\"([^\"]+)") ,0)
| alter Referrer= arrayindex(regextract(_raw_log ,"(http[^\"]+)"),0)
| alter bytes_size=arrayindex(regextract(_raw_log ,"\d\s(\d+)"),0)
// extract source_ip
| alter sourceipv4= arrayindex(regextract(_raw_log , "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s)") ,0)
| alter sourceipv6 = arrayindex(regextract(_raw_log ,"(\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+\:\w+)") ,0)
| alter sourceip = coalesce(sourceipv4 ,sourceipv6)
// end extract source_ip
| alter XDM.Network.event_timestamp= parse_timestamp("%d/%b/%Y:%H:%M:%S %Ez", Request_time)
| alter XDM.Network.Source.user.username =username
| alter XDM.Network.http.url = requested_line
| alter XDM.Network.http.response_code = response_code 
//| alter XDM.Network.http.user_agent= User_agent
| alter XDM.Network.http.referrer =Referrer
| alter XDM.Network.Destination.bytes=to_number(bytes_size)
| alter XDM.Network.Source.ipv4 =sourceip;

Schema

apache_httpd_raw

Field Type Array?
_raw_log string
Raw JSON
{
  "apache_httpd_raw": {
    "_raw_log": {
      "type": "string",
      "is_array": false
    }
  }
}