Log Format
There are several important elements that we must prepare to cover/achieve maximum threat detection, some of which are:
time_localtracked log time indicator (not and will not be analyzed).request_uriused to detect Common Web Attack, CVE & Directory Bruteforce threats.request_methodalso plays an important role in detecting CVE threats.http_user_agentto detect the presence of Bad Crawler.remote_addrto detect incoming requests from Bad IP Addresses.http_refererto detect the presence of Bad Referer.
In case if you want to analyze HAProxy access log, to skip (some of) log string, you also have to specify a variable name for that (will be skipped) string in log_format (which will not be analyzed by teler because it’s not needed). For example:
Your HAProxy access log-line is: Dec 16 04:20:00 localhost haproxy[14389]: 10.0.0.1:31337 [16/Dec/2021:04:20:00.069] http-in static/server 10/0/30/69/109 400 2750 - - ---- 1/1/1/1/0 0/0 {foo.bar} {} "GET /.env HTTP/1.1"
Your log_format on teler configuration file should be:
log_format: |
$x $x $x $x $x[$x]: $remote_addr:$x [$time_local] $x $x $x $status $body_bytes_sent $x $x $x $x $x {$x} {$x} "$request_method $request_uri $request_protocol"
If we breakdown it will looks like:
| Variable | Value |
|---|---|
| x | Feb |
| x | 6 |
| x | 12:14:14 |
| x | localhost |
| x | haproxy |
| x | 14389 |
| remote_addr | 10.0.1.2 |
| x | 33317 |
| time_local | 06/Feb/2009:12:14:14.655 |
| x | http-in |
| x | static/srv1 |
| x | 10/0/30/69/109 |
| status | 400 |
| body_bytes_sent | 2750 |
| x | - |
| x | - |
| x | —- |
| x | 1/1/1/1/0 |
| x | 0/0 |
| x | 1wt.eu |
| x | |
| request_method | GET |
| request_uri | /.env |
| request_protocol | HTTP/1.1 |
The x variables are string values that are NOT required/will be skipped by teler to analyze.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.