Apache

Use the IBM® QRadar® Apache Content Extension to closely monitor your Apache servers.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

Configure the Apache DSM

This content extension requires a change to the LogFormat line of Apache configuration file to:


LogFormat "%h %A %l %u %t \"%r\" %>s %p %b \"%{Referer}i\" \"%{User-agent}i\" %a %I %O %D" <log_format_name>

Where <log format name> is a variable name you provide to define the custom log format.

For more information about configuring the Apache HTTP Server DSM, see Configuring Apache HTTP Server with syslog (https://www.ibm.com/docs/en/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_apache_cfg_syslog.html) or Configuring Apache HTTP Server with syslog-ng (https://www.ibm.com/docs/en/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_apache_cfg_syslogng.html).

IBM Security QRadar Apache Content Extension 1.0.2

The following table shows the custom properties in IBM Security QRadar Apache Content Extension 1.0.2.

Table 1. Custom Properties in IBM Security QRadar Apache Content Extension 1.0.2
Name Optimized Capture Group Regex
BytesReceived Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?"\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+([\d|-]+)
BytesSent Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).?"\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+.?\s+([\d|-]+)
Originating Host Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?"\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Server Response Tiem Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).?"\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+.?\s+.*?\s+([\d|-]+)

IBM Security QRadar Apache Content Extension 1.0.1

The following table shows the custom properties in IBM Security QRadar Apache Content Extension 1.0.1.

Table 2. Custom Properties in IBM Security QRadar Apache Content Extension 1.0.1
Name Optimized Capture Group Regex
Referrer URL Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s\d+\s\d+\s.*?\"(.*?)"
Server Response Time Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+.*?\s+.*?\s+([\d|-]+)

IBM Security QRadar Apache Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Apache Content Extension 1.0.0.

Table 3. Custom Properties in IBM Security QRadar Apache Content Extension 1.0.0
Name Optimized Capture Group Regex
BytesReceived Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+([\d|-]+)
BytesSent Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+.*?\s+([\d|-]+)
Method No 1 (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)
Originating Host Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Packets Sent No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\d+\s+\d+\s+([\d|-]+)\s
Referrer URL No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s\d+\s\d+\s.*?\"(.*?)"
Response Code No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)\s.*?\s([\d|-]+)
URL Query String No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)\s([^\;\s]+)
UrlHost Yes 1 (?:(?:http|ftp|tcp|ssl|https):\/\/)(.*?)(?=$|\s|\\|\"|\/|\:|\|)
User Agent No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s\d+\s\d+\s.*?\".*?"\s+"(.*?)"