pellerano Absent Member.
Absent Member.
773 views

Collect http access log to Sentinel server

Can someone help us by pointing out which connectors to use and how to send access logs?
We need to analyze these logs and create correlations on them.

The format of access log files is of this type (extended format from Netiq Access Manger access gateway):
#Software:Multi Access Gateway
#Fields: date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem c-version sc-status sc(Content-Length) sc-bytes cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) sc(CACHE_STATUS) sc(BALANCER_WORKER_IP) cs(X-Forwarded-For) x-origin-ip rs-bytes
2018-12-20 14:43:46 <Client IP> public <server ip> <site name> GET <uri> "GET / HTTP/1.1" 302 164 5350 2016 629 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "_ga=GA1.3.xxxxxxx.xxxxxx; Jump.Localization.CultureName=it; _gid=GA1.3.yyyyyyyy.yyyyyyyy; .AspNet.ApplicationCookie=kkiCSN2M...." "<referrer url>" "-" "-" "-" 2016

Sentile 8.1 version.
Thanks
Sandro
0 Likes
3 Replies
ScorpionSting Absent Member.
Absent Member.

Re: Collect http access log to Sentinel server

pellerano;2493337 wrote:
Can someone help us by pointing out which connectors to use and how to send access logs?
We need to analyze these logs and create correlations on them.

The format of access log files is of this type (extended format from Netiq Access Manger access gateway):
#Software:Multi Access Gateway
#Fields: date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem c-version sc-status sc(Content-Length) sc-bytes cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) sc(CACHE_STATUS) sc(BALANCER_WORKER_IP) cs(X-Forwarded-For) x-origin-ip rs-bytes
2018-12-20 14:43:46 <Client IP> public <server ip> <site name> GET <uri> "GET / HTTP/1.1" 302 164 5350 2016 629 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "_ga=GA1.3.xxxxxxx.xxxxxx; Jump.Localization.CultureName=it; _gid=GA1.3.yyyyyyyy.yyyyyyyy; .AspNet.ApplicationCookie=kkiCSN2M...." "<referrer url>" "-" "-" "-" 2016

Sentile 8.1 version.
Thanks
Sandro


Use Access Manager's built in configuration to point your audit server to Sentinel (don't try and modify syslog configuration directly on the MAG or IDP), then use the NetIQ Access Manager collector with the appropriate Syslog connector.

Visit my Website for links to Cool Solution articles.
0 Likes
pellerano Absent Member.
Absent Member.

Re: Collect http access log to Sentinel server

Hi,
sorry for the delay in the answer.
Thanks, we will not modify NAM syslog configuration.
OK we can use NAM syslog connector, but we need to add more access log files from other sources.
How can read these files from Sentinel?
Do we need to create a personal collector?
We have seen thet there is a http collector, but it cannot read personalized access log format (so NAM access logs are not supported).

Bye
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Collect http access log to Sentinel server

pellerano;2493964 wrote:
Hi,
sorry for the delay in the answer.
Thanks, we will not modify NAM syslog configuration.
OK we can use NAM syslog connector, but we need to add more access log files from other sources.
How can read these files from Sentinel?
Do we need to create a personal collector?
We have seen thet there is a http collector, but it cannot read personalized access log format (so NAM access logs are not supported).

Bye


If you can't configure the access log source to match an Apache HTTP format (as described in the documentation), then you may need to look at configuring your own Collector using the SDK.

Visit my Website for links to Cool Solution articles.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.