Scribd
Upload
23 views

Apache HTTP Server

Uploaded by

YdaelVargasSalazar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
23 views

Apache HTTP Server

Uploaded by

YdaelVargasSalazar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

RSA 

Event Source Configuration Guide

Apache HTTP Server
Last Modified: Friday, October 31, 2014
Event Source (Device) Product Information
Vendor Apache
Event Source (Device) HTTP Server
Supported Versions 2.1, 2.2, 2.4
Additional Downloads sftpagent.conf.apache
nicsftpagent.conf.apache
RSA Product Information
Supported Version RSA enVision 4.1
Device Type apache, 45
Collection Method File Reader
Device Class.Subclass Host.Web Logs
Content 2.0 Table Web

This document contains the following information for the Apache HTTP Server event source:
l Configuration Instructions
l Release Notes 20141031-154112

Apache HTTP Server Configuration Instructions


You can configure Apache HTTP Server depending on your operating system. Configure Apache
HTTP Server as follows:
l Configure File collection
l Configure Apache HTTP Server for Windows
l Configure Apache HTTP Server for Unix
l Set Up the NIC SFTP Agent
l Set Up the NIC File Reader Service
l Configure Syslog collection (Unix/Linux only)

Note: For Apache HTTP Server, you can choose to configure Syslog or File collection, but not both.

Important: RSA prefers the use of the new logging format for configuring Apache HTTP Server
for Windows and Unix.

Copyright © 2014 EMC Corporation. All Rights Reserved.


RSA Event Source

Configure File Collection


RSA supports file collection for Windows and UNIX. Choose the appropriate steps for your Operating
System.
l Configure File Collection on Windows
l Configure File Collection on UNIX

Configure File Collection on Windows


To configure File collection for Apache HTTP Server on Windows:
Depending on your logging format, do one of the following:
l For the new form of logging, verify that the following script is present (and not commented out) in
the httpd.conf file on the Apache server:
LogFormat "%h %l %u %t \"%m \"%V\" \"%U\" \"%q\" %H\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" \"%{Cookie}i\"" custom
CustomLog '|"C:/Program Files/Apache Software
Foundation/Apache2.2/bin/rotatelogs.exe" "logs/access.log" 86400' custom

where 86400 represents the number of seconds to keep the current log file open before rotating it
and starting a new log.

Note: The location of the rotatelogs.exe file may vary.

l For an earlier logging format, verify that the following script is present (and not commented out) in
the httpd.conf file on the Apache server:
LogFormat "%h %l %u %t %r %>s %b" common
CustomLog '|"C:/Program Files/Apache Group/Apache2/bin/rotatelogs.exe"
"logs/access_log" 86400' common

where 86400 represents the number of seconds to keep the current log file open before rotating it
and starting a new log.

Note: These scripts create a log file called access_log<timestamp> when the log file is rotated. These
are the logs that are sent to the RSA enVision appliance server via FTP. The enVision NIC File Reader
service reads the files.

Configure File Collection on UNIX


To configure File Collection for Apache HTTP Server on UNIX:
Depending on your logging format, do one of the following:
l For the new form of logging, verify that the following lines are present (and not commented out) in
the apache2.conf file on the Apache server:

2 Configure File Collection


RSA Event Source

LogFormat "%h %l %u %t \"%m \"%V\" \"%U\" \"%q\" %H\" %>s %b \"%{Referer}i\"


\"%{User-Agent}i\" \"%{Cookie}i\"" custom
CustomLog "|/usr/sbin/rotatelogs /var/log/access.log 86400" custom

where 86400 represents the number of seconds to keep the current log file open before rotating it
and starting a new log.
l For an earlier form of logging, verify the following lines are present (and not commented out) in
the httpd.conf file on the Apache server:
LogFormat "%h %l %u %t %r %>s %b" common CustomLog
"|/usr/local/apache/bin/rotatelogs /var/log/access_log 86400" common

where 86400 represents the number of seconds needed to keep the current log file open before
rotating it and starting a new log.

Configure File Collection 3


RSA Event Source

Set Up the NIC SFTP Agent


This section describes how to set up the NIC SFTP Agent on Windows or UNIX.

Set Up the NIC SFTP Agent on Windows


1. Follow these steps to download the NIC SFTP Agent sample file:

Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the RSA
enVision appliance. For details, see RSA enVision NIC SFTP Agent Configuration, which is
available on SecurCare Online.

a. Log on to SecurCare Online (SCOL).


b. In the Browse by Product Family section, click RSA enVision.
c. From the navigation pane at the top, select Documentation, and click RSA enVision
Device Configurations.
d. From the list, find the event source for which you want the sample file. The name of the
sample file is sftpagent.conf.eventsourcename, where eventsourcename is the name of the
event source to which the sample file relates.
2. To set up the NIC SFTP Agent, you must edit the NIC SFTP Agent sample file. For instructions,
see RSA enVision NIC SFTP Agent Configuration, which is available on SecurCare Online.

Set Up the NIC SFTP Agent on UNIX


1. Follow these steps to download the NIC FTP Agent file:
a. Log on to SecurCare Online (SCOL).
b. In the Browse by Product Family section, click RSA enVision.
c. In the See Also section, click enVision Secure FTP Agent.
d. In the Latest RSA enVision Downloads section, click RSA enVision 3.7.0 Secure
FTP Agent Updates.
e. Download the nicsftpagent.sh file. Click Unix NIC FTP Agent, and save the file to the
usr/local/nic/ directory.
2. Follow these steps to download the NIC SFTP Agent sample file:

Note: The SFTP sample file is available on RSA SecurCare Online (SCOL) and on the RSA
enVision appliance. For details, see RSA enVision NIC SFTP Agent Configuration, which is
available on SecurCare Online.

4 Set Up the NIC SFTP Agent


RSA Event Source

a. From SecurCare Online in the Browse by Product Family section, click RSA enVision.
b. From the navigation pane at the top, select Documentation, and click RSA enVision
Device Configurations.
c. From the list, find the desired event source for which you want the sample file. The name of
the sample file is nicsftp.conf.eventsourcename, where eventsourcename is the name of
the event source.
d. Change the name of the file to nicsftpagent.conf, and save it to the /usr/local/nic/
directory.
3. To set up the NIC SFTP Agent, you must edit the NIC SFTP Agent sample file. You must update
the following parameters:
Setting Description
ENVISION Set this value to the IP address of the RSA enVision server.
ENVISION_ event_source_IP_address
DIRECTORY Where event_source is the label for the event source (you do not need to change
this label), and IP_address is the IP address for the event source
For example, if the event source is EMC Isilon, and its IP address is 172.16.0.51,
set the parameter as follows:
ENVISION_DIRECTORY=EMCISILON_172.16.0.51

Set Up the NIC SFTP Agent 5


RSA Event Source

Set Up the NIC File Reader Service


To add Apache HTTP Server through the NIC File Reader Service:
1. Log on to the RSA enVision platform with administrative credentials.
2. Select Overview > System Configuration > Services > Device Services > Manage File Reader
Server.
3. Click Add.
4. Complete the fields as follows.
Field Action
IP address Enter the IP address of your Apache HTTP Server event source.
File reader type Select APACHE.

5. Ensure that Start File Reader Service on Apply is selected.


6. Click Apply.

6 Set Up the NIC File Reader Service


RSA Event Source

Configure Syslog Collection for Apache HTTP Server


on UNIX
For Apache HTTP Server, RSA supports syslog collection only for UNIX.

To configure Syslog Collection for Apache HTTP Server:


1. Open the \etc\httpd\conf\httpd.conf file, and find several lines that begin with LogFormat. Add
the following line after the final LogFormat line:
LogFormat "\"%m: %h %l %u %t \"%m \"%V\" \"%U\" \"%q\" %H\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" \"%{Cookie}i\"" rsa

Note: The above line appears on two lines in this document, but you should add it as a single line
into the httpd.conf file.

2. Find the following line:


CustomLog logs/access_log combined

and replace combined with rsa, so that the line reads as follows:
CustomLog logs/access_log rsa

3. Add the following lines to the end of the /etc/rsyslog.conf file:


#### MODULES ####
$ModLoad imfile # load the imfile input module
# Watch /var/log/httpd/access_log
$InputFileName /var/log/httpd/access_log
$InputFileTag %APACHE-
$InputFileStateFile state-apache-access
$InputRunFileMonitor
*.* @ipaddress

where ipaddress is the IP address of your RSA enVision appliance.


4. Restart the httpd and rsyslog services.

Apache HTTP Server Release Notes (20141031-154112)

What's New in This Release


RSA has added support for Syslog collection for the Apache HTTP Server event source.
New and Updated Event Messages in Apache HTTP Server
For complete details on new and updated messages, see the Event Source Update Help.

Configure Syslog Collection for Apache HTTP Server on UNIX 7

You might also like