Apache Integration
<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.26.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Elastic |
</div>
This integration periodically fetches metrics from Apache servers. It can parse access and error logs created by the Apache server.
The Apache datasets were tested with Apache 2.4.12 and 2.4.46 and are expected to work with all versions >= 2.2.31 and >= 2.4.16 (independent from operating system).
Access logs collects the Apache access logs.
**Example**
An example event for access looks as following:
{
"@timestamp": "2024-06-21T13:03:30.000Z",
"agent": {
"ephemeral_id": "a8296a9f-087a-48ae-af44-8f064213f161",
"id": "9326664e-5848-4401-a0fb-4494a1538c2e",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"apache": {
"access": {
"remote_addresses": [
"127.0.0.1"
]
}
},
"data_stream": {
"dataset": "apache.access",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "9326664e-5848-4401-a0fb-4494a1538c2e",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"web"
],
"created": "2024-06-21T13:03:44.637Z",
"dataset": "apache.access",
"ingested": "2024-06-21T13:03:56Z",
"kind": "event",
"outcome": "success"
},
"host": {
"architecture": "x86_64",
"containerized": true,
"hostname": "docker-fleet-agent",
"id": "8259e024976a406e8a54cdbffeb84fec",
"ip": [
"192.168.240.7"
],
"mac": [
"02-42-C0-A8-F0-07"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "3.10.0-1160.118.1.el7.x86_64",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.6 LTS (Focal Fossa)"
}
},
"http": {
"request": {
"method": "GET"
},
"response": {
"body": {
"bytes": 45
},
"status_code": 200
},
"version": "1.1"
},
"input": {
"type": "log"
},
"log": {
"file": {
"path": "/tmp/service_logs/access.log"
},
"offset": 0
},
"related": {
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1"
},
"tags": [
"apache-access"
],
"url": {
"original": "/",
"path": "/"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "curl",
"original": "curl/7.64.0",
"version": "7.64.0"
}
}
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
**Exported fields**
| Field | Description | Type | Unit |
|---|---|---|---|
| @timestamp | Event timestamp. | date | |
| apache.access.http.request_headers | Http request headers. | keyword | |
| apache.access.identity | The client’s identity, as specified in RFC 1413, determined by the identd on the client’s machine. | keyword | |
| apache.access.remote_addresses | An array of remote addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like X-Forwarded-For. |
keyword | |
| apache.access.response_time | Time to serve the request in microseconds. | long | micros |
| apache.access.ssl.cipher | SSL cipher name. - name: nginx.access | keyword | |
| apache.access.ssl.protocol | SSL protocol version. | keyword | |
| apache.access.tls_handshake.error | TLS handshake error. | keyword | |
| cloud.image.id | Image ID for the cloud instance. | keyword | |
| data_stream.dataset | Data stream dataset. | constant_keyword | |
| data_stream.namespace | Data stream namespace. | constant_keyword | |
| data_stream.type | Data stream type. | constant_keyword | |
| event.dataset | Event dataset | constant_keyword | |
| event.module | Event module | constant_keyword | |
| host.containerized | If the host is a container. | boolean | |
| host.os.build | OS build information. | keyword | |
| host.os.codename | OS codename, if any. | keyword | |
| input.type | Input type | keyword | |
| log.offset | Log offset | long |
Supported format for the access logs are:
-
The common
LogFormatcan be used as follows:[TBC: QUOTE]
Example:
[TBC: QUOTE]
Combined Log Format
The combined
LogFormatcan be used as follows:[TBC: QUOTE]
[TBC: QUOTE]
[TBC: QUOTE]Example:
[TBC: QUOTE]
[TBC: QUOTE]
[TBC: QUOTE]
Combined Log Format + X-Forwarded-For header
The combined
LogFormatwith x-forwarded-for header can be used as follows:[TBC: QUOTE]
Example:
[TBC: QUOTE]
Error logs collects the Apache error logs.
**Example**
An example event for error looks as following:
{
"@timestamp": "2024-07-03T11:17:00.781Z",
"agent": {
"ephemeral_id": "7abcc15c-0d38-4f16-843e-622a20dcfe13",
"id": "7417c67c-5b97-401f-b722-6becf94a2f17",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"apache": {
"error": {
"module": "mpm_event"
}
},
"data_stream": {
"dataset": "apache.error",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "7417c67c-5b97-401f-b722-6becf94a2f17",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"web"
],
"dataset": "apache.error",
"ingested": "2024-07-03T11:17:27Z",
"kind": "event",
"timezone": "+00:00",
"type": [
"info"
]
},
"host": {
"architecture": "x86_64",
"containerized": true,
"hostname": "docker-fleet-agent",
"id": "8259e024976a406e8a54cdbffeb84fec",
"ip": [
"192.168.246.7"
],
"mac": [
"02-42-C0-A8-F6-07"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "3.10.0-1160.118.1.el7.x86_64",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.6 LTS (Focal Fossa)"
}
},
"input": {
"type": "log"
},
"log": {
"file": {
"path": "/tmp/service_logs/error.log"
},
"level": "notice",
"offset": 0
},
"message": "AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations",
"process": {
"pid": 1,
"thread": {
"id": 139928782480512
}
},
"tags": [
"apache-error"
]
}
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| apache.error.module | The module producing the logged message. | keyword |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
The server status stream collects data from the Apache Status module. It scrapes the status data from the web page generated by the mod_status module.
**Example**
An example event for status looks as following:
{
"@timestamp": "2022-12-09T03:56:04.531Z",
"agent": {
"ephemeral_id": "de9a4641-fef3-4e54-b95a-cd2c722fb9d3",
"id": "46343e0c-0d8c-464b-a216-cacf63027d6f",
"name": "docker-fleet-agent",
"type": "metricbeat",
"version": "8.5.0"
},
"apache": {
"status": {
"bytes_per_request": 0,
"bytes_per_sec": 0,
"connections": {
"async": {
"closing": 0,
"keep_alive": 0,
"writing": 0
},
"total": 0
},
"cpu": {
"children_system": 0,
"children_user": 0,
"load": 0.133333,
"system": 0.01,
"user": 0.01
},
"load": {
"1": 1.79,
"15": 1.04,
"5": 1.5
},
"requests_per_sec": 0.933333,
"scoreboard": {
"closing_connection": 0,
"dns_lookup": 0,
"gracefully_finishing": 0,
"idle_cleanup": 0,
"keepalive": 0,
"logging": 0,
"open_slot": 325,
"reading_request": 0,
"sending_reply": 1,
"starting_up": 0,
"total": 400,
"waiting_for_connection": 74
},
"total_accesses": 14,
"total_bytes": 0,
"uptime": {
"server_uptime": 15,
"uptime": 15
},
"workers": {
"busy": 1,
"idle": 74
}
}
},
"data_stream": {
"dataset": "apache.status",
"namespace": "ep",
"type": "metrics"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "46343e0c-0d8c-464b-a216-cacf63027d6f",
"snapshot": false,
"version": "8.5.0"
},
"event": {
"agent_id_status": "verified",
"dataset": "apache.status",
"duration": 6186792,
"ingested": "2022-12-09T03:56:04Z",
"module": "apache"
},
"host": {
"architecture": "x86_64",
"containerized": false,
"hostname": "docker-fleet-agent",
"id": "66392b0697b84641af8006d87aeb89f1",
"ip": [
"172.18.0.7"
],
"mac": [
"02-42-AC-12-00-07"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "5.15.49-linuxkit",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.5 LTS (Focal Fossa)"
}
},
"metricset": {
"name": "status",
"period": 30000
},
"service": {
"address": "http://elastic-package-service-apache-1:80/server-status?auto=",
"type": "apache"
}
}
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
**Exported fields**
| Field | Description | Type | Unit | Metric Type |
|---|---|---|---|---|
| @timestamp | Event timestamp. | date | ||
| agent.id | keyword | |||
| apache.status.bytes_per_request | Bytes per request. | scaled_float | gauge | |
| apache.status.bytes_per_sec | Bytes per second. | scaled_float | gauge | |
| apache.status.connections.async.closing | Async closed connections. | long | gauge | |
| apache.status.connections.async.keep_alive | Async keeped alive connections. | long | gauge | |
| apache.status.connections.async.writing | Async connection writing. | long | gauge | |
| apache.status.connections.total | Total connections. | long | counter | |
| apache.status.cpu.children_system | CPU of children system. | scaled_float | gauge | |
| apache.status.cpu.children_user | CPU of children user. | scaled_float | gauge | |
| apache.status.cpu.load | CPU Load. | scaled_float | gauge | |
| apache.status.cpu.system | System cpu. | scaled_float | gauge | |
| apache.status.cpu.user | CPU user load. | scaled_float | gauge | |
| apache.status.load.1 | Load average for the last minute. | scaled_float | gauge | |
| apache.status.load.15 | Load average for the last 15 minutes. | scaled_float | gauge | |
| apache.status.load.5 | Load average for the last 5 minutes. | scaled_float | gauge | |
| apache.status.requests_per_sec | Requests per second. | scaled_float | gauge | |
| apache.status.scoreboard.closing_connection | Closing connections. | long | gauge | |
| apache.status.scoreboard.dns_lookup | Dns Lookups. | long | gauge | |
| apache.status.scoreboard.gracefully_finishing | Gracefully finishing. | long | gauge | |
| apache.status.scoreboard.idle_cleanup | Idle cleanups. | long | gauge | |
| apache.status.scoreboard.keepalive | Keep alive. | long | gauge | |
| apache.status.scoreboard.logging | Logging | long | gauge | |
| apache.status.scoreboard.open_slot | Open slots. | long | gauge | |
| apache.status.scoreboard.reading_request | Reading requests. | long | gauge | |
| apache.status.scoreboard.sending_reply | Sending Reply. | long | gauge | |
| apache.status.scoreboard.starting_up | Starting up. | long | gauge | |
| apache.status.scoreboard.total | Total. | long | gauge | |
| apache.status.scoreboard.waiting_for_connection | Waiting for connections. | long | gauge | |
| apache.status.total_accesses | Total number of access requests. | long | counter | |
| apache.status.total_bytes | Total number of bytes served. | long | byte | counter |
| apache.status.uptime.server_uptime | Server uptime in seconds. | long | counter | |
| apache.status.uptime.uptime | Server uptime. | long | counter | |
| apache.status.workers.busy | Number of busy workers. | long | gauge | |
| apache.status.workers.idle | Number of idle workers. | long | gauge | |
| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
| cloud.availability_zone | Availability zone in which this host is running. | keyword | ||
| cloud.image.id | Image ID for the cloud instance. | keyword | ||
| cloud.instance.id | Instance ID of the host machine. | keyword | ||
| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
| cloud.region | Region in which this host is running. | keyword | ||
| container.id | Unique container id. | keyword | ||
| data_stream.dataset | Data stream dataset. | constant_keyword | ||
| data_stream.namespace | Data stream namespace. | constant_keyword | ||
| data_stream.type | Data stream type. | constant_keyword | ||
| event.dataset | Event dataset | constant_keyword | ||
| event.module | Event module | constant_keyword | ||
| host.containerized | If the host is a container. | boolean | ||
| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. |
keyword | ||
| host.os.build | OS build information. | keyword | ||
| host.os.codename | OS codename, if any. | keyword | ||
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
These anomaly detection jobs are available in the Machine Learning app in Kibana when you have data that matches the query specified in the manifest.
Find unusual activity in HTTP access logs.
| Job | Description |
|---|---|
| visitor_rate_apache | HTTP Access Logs: Detect unusual visitor rates |
| status_code_rate_apache | HTTP Access Logs: Detect unusual status code rates |
| source_ip_url_count_apache | HTTP Access Logs: Detect unusual source IPs - high distinct count of URLs |
| source_ip_request_rate_apache | HTTP Access Logs: Detect unusual source IPs - high request rates |
| low_request_rate_apache | HTTP Access Logs: Detect low request rates |
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.26.0 | pass:[] Enhancement (View pull request) Deprecate third-party REST API import option. |
8.13.0 or higher |
| 1.25.0 | pass:[] Enhancement (View pull request) Allow configuration of ignoring older events in apache access log datastream. |
8.13.0 or higher |
| 1.24.0 | pass:[] Enhancement (View pull request) Allow @custom pipeline access to event.original without setting preserve_original_event. |
8.13.0 or higher |
| 1.23.0 | pass:[] Enhancement (View pull request) Update grok pattern to support access and error log format. |
8.13.0 or higher |
| 1.22.0 | pass:[] Enhancement (View pull request) Add processor support for status data stream. |
8.13.0 or higher |
| 1.21.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.20.0 | pass:[] Enhancement (View pull request) Add optional response-time field in access logs. |
8.10.2 or higher |
| 1.19.0 | pass:[] Enhancement (View pull request) Add global filter on data_stream.dataset to improve performance. |
8.10.2 or higher |
| 1.18.0 | pass:[] Enhancement (View pull request) Prepare package for serverless. pass:[] Enhancement (View pull request) Add secrets support. pass:[] Enhancement (View pull request) Add filters to metrics dashboard. pass:[] Bug fix (View pull request) Remove duplicated and ambiguous field definitions. pass:[] Bug fix (View pull request) Fix normalization as arrays of event.category and event.type fields. |
8.10.2 or higher |
| 1.17.2 | pass:[] Bug fix (View pull request) Rename field "apache2.error.integration" to "apache.error.module" in the Apache error visualizations. |
8.10.2 or higher |
| 1.17.1 | pass:[] Bug fix (View pull request) Update grok for accepting user-identity. |
8.10.2 or higher |
| 1.17.0 | pass:[] Enhancement (View pull request) Limit request tracer log count to five. |
8.10.2 or higher |
| 1.16.0 | pass:[] Enhancement (View pull request) Migrate Uptime metric visualization to lens. |
8.10.2 or higher |
| 1.15.1 | pass:[] Bug fix (View pull request) Add null check and ignore_missing check to the rename processor |
8.8.0 or higher |
| 1.15.0 | pass:[] Enhancement (View pull request) Add ability to set condition for logs and metrics. |
8.8.0 or higher |
| 1.14.0 | pass:[] Enhancement (View pull request) Enable time series data streams for the metrics datasets. This dramatically reduces storage for metrics and is expected to progressively improve query performance. For more details, see docs-content://manage-data/data-store/data-streams/time-series-data-stream-tsds.md. |
8.8.0 or higher |
| 1.13.0 | pass:[] Enhancement (View pull request) Rename ownership from obs-service-integrations to obs-infraobs-integrations |
8.7.1 or higher |
| 1.12.0 | pass:[] Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.11.0 | pass:[] Enhancement (View pull request) Add dimension fields for status datastream for TSDB enablement. |
8.3.0 or higher |
| 1.10.0 | pass:[] Enhancement (View pull request) Migrate Access and error logs dashboard visualizations to lens. |
8.3.0 or higher |
| 1.9.0 | pass:[] Enhancement (View pull request) Migrate Overview dashboard visualizations to lens. |
8.3.0 or higher |
| 1.8.2 | pass:[] Bug fix (View pull request) Fix a bug that may blank three visualizations |
8.0.0 or higher |
| 1.8.1 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
8.0.0 or higher |
| 1.8.0 | pass:[] Enhancement (View pull request) Update ECS version to 8.5.1. |
8.0.0 or higher |
| 1.7.0 | pass:[] Enhancement (View pull request) Added infrastructure category. |
8.0.0 or higher |
| 1.6.0 | pass:[] Enhancement (View pull request) Add support for x_forwarded_for header |
8.0.0 or higher |
| 1.5.1 | pass:[] Enhancement (View pull request) Remove unused visualizations |
8.0.0 or higher |
| 1.5.0 | pass:[] Enhancement (View pull request) Use new labels for source license and subscription |
8.0.0 or higher |
| 1.4.1 | pass:[] Bug fix (View pull request) Add correct field mapping for event.created |
8.0.0 or higher |
| 1.4.0 | pass:[] Enhancement (View pull request) Migration of tile map to map in logs dashboard |
— |
| 1.3.6 | pass:[] Enhancement (View pull request) Add documentation for multi-fields |
— |
| 1.3.5 | pass:[] Enhancement (View pull request) Add ML modules to readme |
7.14.0 or higher 8.0.0 or higher |
| 1.3.4 | pass:[] Bug fix (View pull request) Regenerate test files using the new GeoIP database |
— |
| 1.3.3 | pass:[] Bug fix (View pull request) Change test public IPs to the supported subset |
— |
| 1.3.2 | pass:[] Bug fix (View pull request) Fix ML module manifest query to ignore frozen and cold tiers |
7.14.0 or higher 8.0.0 or higher |
| 1.3.1 | pass:[] Bug fix (View pull request) Fix parsing of trace log levels |
— |
| 1.3.0 | pass:[] Enhancement (View pull request) Support Kibana 8.0 |
7.14.0 or higher 8.0.0 or higher |
| 1.2.0 | pass:[] Enhancement (View pull request) Uniform with guidelines |
— |
| 1.1.1 | pass:[] Bug fix (View pull request) Fix logic that checks for the forwarded tag |
— |
| 1.1.0 | pass:[] Enhancement (View pull request) Update to ECS 1.12.0 |
7.14.0 or higher |
| 1.0.0 | pass:[] Enhancement (View pull request) Release Apache as GA |
— |
| 0.9.2 | pass:[] Enhancement (View pull request) Convert to generated ECS fields |
— |
| 0.9.1 | pass:[] Enhancement (View pull request) update to ECS 1.11.0 |
— |
| 0.9.0 | pass:[] Enhancement (View pull request) Update integration description |
— |
| 0.8.1 | pass:[] Enhancement (View pull request) Add support for Splunk authorization tokens |
— |
| 0.8.0 | pass:[] Bug fix (View pull request) Set event.module and event.dataset |
— |
| 0.7.1 | pass:[] Bug fix (View pull request) Fix bug in Third Party REST API ingest pipeline |
— |
| 0.7.0 | pass:[] Enhancement (View pull request) Update to ECS 1.10.0 and adding items that all packages should have |
— |
| 0.6.0 | pass:[] Enhancement (View pull request) Render units and metric types in exported fields table |
— |
| 0.5.1 | pass:[] Enhancement (View pull request) Move ecs.version to the ingest pipeline and make event.original optional |
— |
| 0.5.0 | pass:[] Enhancement (View pull request) Adds ML jobs for finding unusual activity in HTTP access logs |
— |
| 0.4.1 | pass:[] Enhancement (View pull request) update to ECS 1.9.0 |
— |
| 0.3.5 | pass:[] Enhancement (View pull request) Updating package owner |
— |
| 0.3.4 | pass:[] Bug fix (View pull request) Use correct types for source.port and source.ip |
— |
| 0.1.0 | pass:[] Enhancement (View pull request) initial release |
— |