Using Access Logs
This page describes how to convert your existing access logs into a format that Spherical Defense can ingest and learn from.
Last updated
Was this helpful?
This page describes how to convert your existing access logs into a format that Spherical Defense can ingest and learn from.
Last updated
Was this helpful?
Web server logging rarely includes HTTP POST payloads, which makes this approach unsuitable if you expect inbound HTTP payloads in your traffic.
The Common Log Format is the standard Apache logging format for web server access logging. This format contains the following fields:
The IP address of the client (remote host) which made the request to the server.
The of the client. Usually "-".
The UserId of the person requesting the document. Usually "-" unless .htaccess has requested authentication.
The date, time, and time zone that the request was received, by default in format %d/%b/%Y:%H:%M:%S %z.
The request line from the client. The method GET, /apache_pb.gif the resource requested, and HTTP/1.0 the .
The returned to the client. 2xx is a successful response, 3xx a redirection, 4xx a client error, and 5xx a server error.
The size of the object returned to the client, measured in .
To convert this file into a format that can be ingested by a running Spherical Defense instance, complete the following steps:
SSH into your Spherical Defense instance.
Create a new file in the ~/ directory called apache_log_converter.py
Copy the following script into the file:
4. Ensure that your Apache logs are in the same directory as the above script.
5. Run the following command: python3 apache_log_converter.py -s <SOURCE FILENAME> -t <TARGET FILENAME>
6. After you have generated a file that can be ingested by the Spherical Defense data ingestor, go back to the AMI quickstart below to continue the on-boarding process.
The combined log format is the same as the above, but with two extra fields included:
A referrer URL
A user-agent