Log Format

There are several important elements that we must prepare to cover/achieve maximum threat detection, some of which are:

  • time_local tracked log time indicator (not and will not be analyzed).
  • request_uri used to detect Common Web Attack, CVE & Directory Bruteforce threats.
  • request_method also plays an important role in detecting CVE threats.
  • http_user_agent to detect the presence of Bad Crawler.
  • remote_addr to detect incoming requests from Bad IP Addresses.
  • http_referer to detect the presence of Bad Referer.

In case if you want to analyze HAProxy access log, to skip (some of) log string, you also have to specify a variable name for that (will be skipped) string in log_format (which will not be analyzed by teler because it’s not needed). For example:

Your HAProxy access log-line is: Dec 16 04:20:00 localhost haproxy[14389]: 10.0.0.1:31337 [16/Dec/2021:04:20:00.069] http-in static/server 10/0/30/69/109 400 2750 - - ---- 1/1/1/1/0 0/0 {foo.bar} {} "GET /.env HTTP/1.1"

Your log_format on teler configuration file should be:

log_format: |
  $x $x $x $x $x[$x]: $remote_addr:$x [$time_local] $x $x $x $status $body_bytes_sent $x $x $x $x $x {$x} {$x} "$request_method $request_uri $request_protocol"

If we breakdown it will looks like:

Variable Value
x Feb
x 6
x 12:14:14
x localhost
x haproxy
x 14389
remote_addr 10.0.1.2
x 33317
time_local 06/Feb/2009:12:14:14.655
x http-in
x static/srv1
x 10/0/30/69/109
status 400
body_bytes_sent 2750
x -
x -
x —-
x 1/1/1/1/0
x 0/0
x 1wt.eu
x  
request_method GET
request_uri /.env
request_protocol HTTP/1.1

The x variables are string values that are NOT required/will be skipped by teler to analyze.