How to forward Apache server logs to WAZUH manager?

[M.Ali]

Hi everyone,

I want to forward Apache web server logs to Wazuh. There are some users access logs in "www" folder other than apache default logs I also want to forward them to Wazuh and want to create login, logout and login failure alerts against  them.  An agent already installed on the server and forwading OS logs. Please help me with step by step process. 

Thanks a lot in advance.

[Eva Lopez]

Hello M. Ali,

To send Apache logs to Wazuh manager you can use Log Data Collection. You can configure it using our documentation. An example of configuration could be the following:

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/apache.log</location>
  </localfile>

We have rules and decoders to Apache logs, you can find it in ruleset/rules/0250-apache_rules.xml and ruleset/decoders/0025-apache_decoders.xml files.
Also, you can create your own rules and decoders. Follow the link for more information: Custom rules and decoders

If you need help with some rule or decoder you should send us the log you want to generate the alert.

I hope it helps you. If you have further questions let us know.

Best regards,
Eva

[M.Ali]

I create the configuration code for Apache wamp  logs with the help of  Log Data Collection. Which is following 

  <localfile>
    <log_format>syslog</log_format>
    <location>c:\wamp\www\logs\%y_%m_user_access.log</location>
  </localfile>

now I am confused that where this code need to past in agent OSSEC.config file or in WAZUH manager ossec.config file ?

[Eva Lopez]

Hello M. Ali,

This configuration must be added in the machine you have the Apache server.

If it’s a manager add the configuration in the manager’s ossec.conf.
If it’s an agent you can add it in ossec.conf found in the agent or in agent.conf.
The agent.conf file is useful to configure the agents remotely, you can read more about it following the link.

Best regards,
Eva

​

[rukende...@gmail.com]

@M.Ali,

Would you able to get the apache logs? I need help with this, I have the required changes but still, I'm not getting logs in wazuh.

[Victor Fernandez]

Hi Rukender,

Let's check the configuration and the rules for access logs to produce alerts.

First, the actual location of the log files is C:\wamp\logs as I checked on Wamp:

So we will monitor access.log or *.log, depending on whether we want to monitor all files. This is the corresponding configuration for the agent (we set it remotely in the manager: /var/ossec/etc/shared/default/agent.conf):

<agent_config os="windows">

  <localfile>
    <log_format>syslog</log_format>
    <location>C:\wamp\logs\*.log</location>
  </localfile>

</agent_config>

Every agent running on Windows will apply the configuration automatically. The agent log (C:\Program Files (x86)\ossec-agent\ossec.log) will confirm this:

2020/10/09 02:41:59 ossec-agent: INFO: (1957): New file that matches the 'C:\wamp\logs\*.log' pattern: 'C:\wamp\logs\access.log'.
2020/10/09 02:41:59 ossec-agent: INFO: (1957): New file that matches the 'C:\wamp\logs\*.log' pattern: 'C:\wamp\logs\apache_error.log'.
2020/10/09 02:41:59 ossec-agent: INFO: (1957): New file that matches the 'C:\wamp\logs\*.log' pattern: 'C:\wamp\logs\mariadb.log'.
2020/10/09 02:41:59 ossec-agent: INFO: (1957): New file that matches the 'C:\wamp\logs\*.log' pattern: 'C:\wamp\logs\mysql.log'.
2020/10/09 02:41:59 ossec-agent: INFO: (1957): New file that matches the 'C:\wamp\logs\*.log' pattern: 'C:\wamp\logs\php_error.log'.
2020/10/09 02:41:59 ossec-agent: INFO: (1957): New file that matches the 'C:\wamp\logs\*.log' pattern: 'C:\wamp\logs\wamptrace.log'.

The agent should now send the logs to the manager. In order to check this, we can enable the archives in the manager (/var/ossec/etc/ossec.conf):

<ossec_config>
  <global>
    <logall>yes</logall>

We restart the manager:

$ sudo service wazuh-manager restart

Now, access logs should appear in /var/ossec/logs/archives/archives.log:

2020 Oct 09 11:43:32 (windows) any->\wamp\logs\access.log ::1 - - [09/Oct/2020:02:43:31 -0700] "GET / HTTP/1.1" 200 6019

But this triggers no alerts as we can check in ossec-logtest:

$ echo '::1 - - [09/Oct/2020:02:43:31 -0700] "GET / HTTP/1.1" 200 6019' | sudo /var/ossec/bin/ossec-logtest
2020/10/09 11:44:14 ossec-testrule: INFO: Started (pid: 11199).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: '::1 - - [09/Oct/2020:02:43:31 -0700] "GET / HTTP/1.1" 200 6019'
       timestamp: '(null)'
       hostname: 'focal'
       program_name: '(null)'
       log: '::1 - - [09/Oct/2020:02:43:31 -0700] "GET / HTTP/1.1" 200 6019'

**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '::1'
       protocol: 'GET'
       url: '/'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).'

This is the alert 31108: 0245-web_rules.xml. We can redefine it in order to increase its level to 3 so it will produce an alert. We add this rule into /var/ossec/etc/rules/local-rules.xml:

<group name="web,accesslog,">
  <rule id="31108" level="3" overwrite="yes">
    <if_sid>31100</if_sid>
    <id>^2|^3</id>
    <compiled_rule>is_simple_http_request</compiled_rule>
    <description>Simple query.</description>
  </rule>
</group>

If we test the log again, ossec-logtest will confirm that this log will produce an alert:

$ echo '::1 - - [09/Oct/2020:02:43:31 -0700] "GET / HTTP/1.1" 200 6019' | sudo /var/ossec/bin/ossec-logtest

(...)

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '3'
       Description: 'Simple query.'
**Alert to be generated.

In fact, if we restart the manager again and access the web server, we will find an alert:

** Alert 1602237150.333040: - web,accesslog,
2020 Oct 09 11:52:30 (windows) any->\wamp\logs\access.log
Rule: 31108 (level 3) -> 'Simple query.'
Src IP: ::1
::1 - - [09/Oct/2020:02:52:29 -0700] "GET / HTTP/1.1" 200 6019

Hope this helps you.

Best regards.

Victor M. Fernandez-Castro 
Director of engineering | vic...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3740614b-8feb-462f-b268-756dcfa0da0en%40googlegroups.com.

[rukende...@gmail.com]

Victor, it worked 

Thanks!