There are several important elements that we must prepare to cover/achieve maximum threat detection, some of which are:
time_local
tracked log time indicator (not and will not be analyzed).request_uri
used to detect Common Web Attack, CVE & Directory Bruteforce threats.request_method
also plays an important role in detecting CVE threats.http_user_agent
to detect the presence of Bad Crawler.remote_addr
to detect incoming requests from Bad IP Addresses**.**http_referer
to detect the presence of Bad Referer.In case if you want to analyze HAProxy access log, to skip (some of) log string, you also have to specify a variable name for that (will be skipped) string in log_format
(which will not be analyzed by teler because it's not needed). For example:
Your HAProxy access log-line is: Dec 16 04:20:00 localhost haproxy[14389]: 10.0.0.1:31337 [16/Dec/2021:04:20:00.069] http-in static/server 10/0/30/69/109 400 2750 - - ---- 1/1/1/1/0 0/0 {foo.bar} {} "GET /.env HTTP/1.1"
Your log_format
on teler configuration file should be:
log_format: |
$x $x $x $x $x[$x]: $remote_addr:$x [$time_local] $x $x $x $status $body_bytes_sent $x $x $x $x $x {$x} {$x} "$request_method $request_uri $request_protocol"
If we breakdown it will looks like:
The x
variables are string values that are NOT required/will be skipped by teler to analyze.