-
Notifications
You must be signed in to change notification settings - Fork 3k
/
ApacheHTTPServer.txt
53 lines (53 loc) · 2.46 KB
/
ApacheHTTPServer.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
// This function parses Apache HTTP server access.log and error.log
// Expected access.log format: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
// Expected error.log format: "[%t] [%l] [client %a] %M"
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let apache_accesslog_events =() {
ApacheHTTPServer_CL
| where RawData matches regex @'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\[.*\]\s\"(GET|POST).*?\"\s([1-5][0-9]{2})\s(\d+)\s\"(.*?)\"\s\"(.*?)\".*'
| extend EventProduct = 'Apache'
| extend EventType = 'AccessLog'
| extend EventData = split(RawData, '"')
| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')
| extend SubEventData1 = split(EventData[1], ' ')
| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')
| extend SrcIpAddr = tostring(SubEventData0[0])
| extend ClientIdentity = SubEventData0[1]
| extend SrcUserName = SubEventData0[2]
| extend EventStartTime = todatetime(replace(@'\/', @'-', replace(@'(\d{2}\/\w{3}\/\d{4}):(\d{2}\:\d{2}\:\d{2})', @'\1 \2', extract(@'\[(.*?)\+\d+\]', 1, RawData))))
//| extend EventStartTime = strcat(SubEventData0[3], SubEventData0[4])
| extend HttpRequestMethod = SubEventData1[0]
| extend UrlOriginal = SubEventData1[1]
| extend HttpVersion = SubEventData1[2]
| extend HttpStatusCode = SubEventData2[0]
| extend HttpResponseBodyBytes = SubEventData2[1]
| extend HttpReferrerOriginal = EventData[3]
| extend HttpUserAgentOriginal = EventData[5]
};
let apache_errorlog_events=() {
ApacheHTTPServer_CL
| where RawData matches regex @'\A\[.*?\]\s\[.*\]\s\[.*\].*'
| extend EventProduct = 'Apache'
| extend EventType = 'ErrorLog'
| extend EventSeverity = 'Error'
| extend EventStartTime = todatetime(extract(@'\[\w{3}\s(.*?)\]', 1, RawData))
| extend SrcIpAddr = extract(@'\[client (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]', 1, RawData)
| extend EventMessage = extract(@'\[client \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\s(.*)', 1, RawData)
};
union isfuzzy=true apache_accesslog_events, apache_errorlog_events
| project TimeGenerated
, EventProduct
, EventType
, EventSeverity
, EventStartTime
, SrcIpAddr
, ClientIdentity
, SrcUserName
, HttpRequestMethod
, UrlOriginal
, HttpVersion
, HttpStatusCode
, HttpResponseBodyBytes
, HttpReferrerOriginal
, HttpUserAgentOriginal
, EventMessage