This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

nginx logs to RSA netwitness

azimgambarli
Beginner
Beginner

‎2020-05-20 08:25 AM

Dears,

 

Has anybody tried to monitor nginx web server using RSA Netwitness? If so please share the config sample to forward logs to Netwitness from linux web server?  I tried apache log source configuration guide with no luck.

 

Any help appreciated.

0 Likes
8 REPLIES 8

EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)

‎2020-05-20 09:20 AM

azim gambarli‌,

 

I've moved your question to the RSA NetWitness Platform" data-type="space space where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.

 

Alternatively, from the RSA Customer Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA NetWitness Platform" data-type="space and click Ask A Question.  That way your question will appear in the correct space.

 

Regards,

Erica

0 Likes

RafaelSampaio
Contributor Contributor
Contributor

‎2020-05-20 04:10 PM

Hi!

 

Did you try sending logging messages using Nginx instead of syslogd? You can check the configuration here https://docs.nginx.com/nginx/admin-guide/monitoring/logging/

0 Likes

azimgambarli
Beginner
Beginner
In response to RafaelSampaio

‎2020-05-21 08:07 AM

Dear Rafael,

 

I used the link to setup syslog via nginx. But experienced the same issue as it was with rsyslog. The logs coming to RSA Netwitness with extra "syslog header" which repeats Date and contains Tag and hostname, despite of their local storage format. These logs parsed incorrectly.

 

Any additional suggestions?

0 Likes

RafaelSampaio
Contributor Contributor
Contributor
In response to azimgambarli

‎2020-05-21 09:01 AM

Hi Azim!

 

Which parser is processing the Nginx logs in your environment?

 

One approach would be to create a new parser according to your log format. You may use try modifying the log format to a key-value config so you could use Log Parser Rules (Log Parser Customize: Add a Log Parser Rule)

 

Another approach could be formating messages in the same way NetWitness parses Apache logs if you can add the same headers in the message, but I'm not fully aware of the options available in log format in Nginx. (Apache HTTP Server Event Source Configuration Guide)

 

"%h %l %u %t \"%m \"%V\" \"%U\" \"%q\" %H\" %>s %b \"% {Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\""

 

%h - the IP address of the client (remote host)
%l - remote logname, usually a dash
%u - remote user if the request was authenticated
%t - time the request was received
\" - quotes
%m - request method
\"%V\" - server name with quotes
\"%U\" - URL path with quotes
\"%q\" - query string with quotes
%H - protocol
\" - quotes
%>s - HTTP status code
%b - size of response in bytes
\"%{Referer}i\" - Referer for all codes with quotes
\"%{User-Agent}i\" - agent (browser) with quotes
\"%{Cookie}i\" - entire cookie header with quotes

0 Likes

azimgambarli
Beginner
Beginner
In response to RafaelSampaio

‎2020-05-29 08:25 AM

Dear Rafael,

 

Everything has been set up as you broadly described and Apache HTTP Server Event Source Configuration Guide used for rsyslog and log format configuration.

 

In the access log file logs look the same as they should be and configured. But Rsyslog adds additional date and hostname tag, this brakes the way log parsed (yes it has been finally parsed) by apache parser:

 

May 29 15:58:30 localhost %APACHE- xxx.xxx.xxx.xxx - - [29/May/2020:15:58:29 +0400] "GET etc....

 

The fields important and required for adequate web server monitoring such as url, user-agent, referrer has been parsed incorrectly. The issue persists. 

0 Likes

RafaelSampaio
Contributor Contributor
Contributor

‎2020-06-10 10:45 AM

Hi Azim,

 

The hostname and timestamp are normal in Syslog messages and both are expected by the Apache parser. It can parser messages with and without those headers, so it should be working normally.
What is the device.type in your parsed events? Is there any "word" meta key?

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to azimgambarli

‎2020-06-22 12:20 AM

azim gambarli‌ Is it possible to post a log sample?  Or send to me directly?

0 Likes

azimgambarli
Beginner
Beginner
In response to RafaelSampaio

‎2020-06-29 10:29 AM

Rafael Sampaio wrote:

 

Hi Azim,

 

The hostname and timestamp are normal in Syslog messages and both are expected by the Apache parser. It can parser messages with and without those headers, so it should be working normally.
What is the device.type in your parsed events? Is there any "word" meta key?

 Dear Rafel,

 

As you have mentioned the messages can be parsed without those header. But the issue is that logs arrive with those additional headers, and parsed incorrectly.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.