QRadar SOAR: client_access log

Steps

/usr/share/co3/conf/server.xml

        Resilient Access logger - uses all the same properties as the one provided by Tomcat, and adds an additional
        property "uriRegex" : a regular expression matching URIs of requests that will have their access logged before
        the request is processed, in addition to the normal behavior that logs after the request is processed.
        For example,
               uriRegex="/rest/.*"
        will log all Resilient REST service requests twice, once before, and once after, processing. Used to find
        pending requests that may be taking a long time.
        When setting uriRegex, set the "pattern" property to include the thread name, %I, for example,
               pattern="%h %l %u %t "%r" %s %b %D %I"
        so that the pending and completed request log entries can be correlated.
        The pending request logging should be set off unless needed, by passing an empty value or omitting the property.
        -->
        <Valve className="com.co3.tomcat.valves.RequestAccessLogValve"
               directory="logs"
               prefix="${valvePrefix}"
               suffix=".log"
               requestAttributesEnabled="true"
               pattern="%h %l %u %t &quot;%r&quot; %s %b %D %{count_db_queries}r %{query_execution_time}r [%{res_user_email}s] %I"
               uriRegex="/rest/.*"
               renameOnRotate="${valveRenameOnRotate}" />

https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/AccessLogValve.html

 %a - Remote IP address
 %A - Local IP address
 %b - Bytes sent, excluding HTTP headers, or '-' if no bytes were sent
 %B - Bytes sent, excluding HTTP headers
 %h - Remote host name (or IP address if enableLookups for the connector is false)
 %H - Request protocol
 %l - Remote logical username from identd (always returns '-')
 %m - Request method
 %p - Local port
 %q - Query string (prepended with a '?' if it exists, otherwise an empty string
 %r - First line of the request
 %s - HTTP status code of the response
 %S - User session ID
 %t - Date and time, in Common Log Format format
 %u - Remote user that was authenticated
 %U - Requested URL path
 %v - Local server name
 %D - Time taken to process the request, in millis
 %T - Time taken to process the request, in seconds
 %I - current Request thread name (can compare later with stacktraces) 

The pattern we use is:

pattern="%h %l %u %t "%r" %s %b %D %{count_db_queries}r %{query_execution_time}r [%{res_user_email}s] %I"

Translates to:

"remote host name" %l "Requested URL path" "Date & TIME" "GET /rest/orgs/201 HTTP/1.1” *"HTTP status code"* "Bytes sent" "Time taken to process the request, in millis'"* {count_db_queries} {query_execution_time} [email address] "current Request thread name"