Log Format
There are several important elements that we must prepare to cover/achieve maximum threat detection, some of which are:
time_local
tracked log time indicator (not and will not be analyzed).request_uri
used to detect Common Web Attack, CVE & Directory Bruteforce threats.request_method
also plays an important role in detecting CVE threats.http_user_agent
to detect the presence of Bad Crawler.remote_addr
to detect incoming requests from Bad IP Addresses.http_referer
to detect the presence of Bad Referer.
In case if you want to analyze HAProxy access log, to skip (some of) log string, you also have to specify a variable name for that (will be skipped) string in log_format
(which will not be analyzed by teler because it’s not needed). For example:
Your HAProxy access log-line is: Dec 16 04:20:00 localhost haproxy[14389]: 10.0.0.1:31337 [16/Dec/2021:04:20:00.069] http-in static/server 10/0/30/69/109 400 2750 - - ---- 1/1/1/1/0 0/0 {foo.bar} {} "GET /.env HTTP/1.1"
Your log_format
on teler configuration file should be:
log_format: |
$x $x $x $x $x[$x]: $remote_addr:$x [$time_local] $x $x $x $status $body_bytes_sent $x $x $x $x $x {$x} {$x} "$request_method $request_uri $request_protocol"
If we breakdown it will looks like:
Variable | Value |
---|---|
x | Feb |
x | 6 |
x | 12:14:14 |
x | localhost |
x | haproxy |
x | 14389 |
remote_addr | 10.0.1.2 |
x | 33317 |
time_local | 06/Feb/2009:12:14:14.655 |
x | http-in |
x | static/srv1 |
x | 10/0/30/69/109 |
status | 400 |
body_bytes_sent | 2750 |
x | - |
x | - |
x | —- |
x | 1/1/1/1/0 |
x | 0/0 |
x | 1wt.eu |
x | |
request_method | GET |
request_uri | /.env |
request_protocol | HTTP/1.1 |
The x
variables are string values that are NOT required/will be skipped by teler to analyze.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.