Apache
Use the IBM Security QRadar Apache Content Extension to closely monitor your Apache servers.
Configure the Apache DSM
This content extension requires a change to the LogFormat line of Apache configuration file to:
LogFormat "%h %A %l %u %t \"%r\" %>s %p %b \"%{Referer}i\" \"%{User-agent}i\" %a %I %O %D" <log_format_name>
Where <log format name> is a variable name that you provide to define the custom log format.
For more information about configuring the Apache HTTP Server DSM, see Configuring Apache HTTP Server with syslog (https://www.ibm.com/docs/en/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_apache_cfg_syslog.html) or Configuring Apache HTTP Server with syslog-ng (https://www.ibm.com/docs/en/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_apache_cfg_syslogng.html).
IBM Security QRadar Apache Content Extension 1.0.3
The following table shows the custom properties that were updated in IBM Security QRadar Apache Content Extension 1.0.3.
| Old Property Name | New Property Name |
|---|---|
| UrlHost | URL Host |
| Packets for Client | Packets Sent |
| Originating Host | Sender Host |
| BytesSent | Bytes Sent |
| BytesReceived | Bytes Received |
| Referrer URL | URL Referrer |
IBM Security QRadar Apache Content Extension 1.0.2
The following table shows the custom properties in IBM Security QRadar Apache Content Extension 1.0.2.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| BytesReceived | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?"\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+([\d|-]+) |
| BytesSent | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).?"\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+.?\s+([\d|-]+) |
| Originating Host | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?"\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) |
| Server Response Tiem | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).?"\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+.?\s+.*?\s+([\d|-]+) |
IBM Security QRadar Apache Content Extension 1.0.1
The following table shows the custom properties in IBM Security QRadar Apache Content Extension 1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Referrer URL | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s\d+\s\d+\s.*?\"(.*?)" |
| Server Response Time | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+.*?\s+.*?\s+([\d|-]+) |
IBM Security QRadar Apache Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Apache Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| BytesReceived | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+([\d|-]+) |
| BytesSent | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+.*?\s+([\d|-]+) |
| Method | No | 1 | (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH) |
| Originating Host | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) |
| Packets Sent | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\d+\s+\d+\s+([\d|-]+)\s |
| Referrer URL | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s\d+\s\d+\s.*?\"(.*?)" |
| Response Code | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)\s.*?\s([\d|-]+) |
| URL Query String | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)\s([^\;\s]+) |
| UrlHost | Yes | 1 | (?:(?:http|ftp|tcp|ssl|https):\/\/)(.*?)(?=$|\s|\\|\"|\/|\:|\|) |
| User Agent | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s\d+\s\d+\s.*?\".*?"\s+"(.*?)" |