6.3 Ensure the Server Access Log Is Configured Correctly - 'httpd.conf LogFormat is configured'

Information

The 'LogFormat' directive defines the format and information to be included in the server access log entries. The 'CustomLog' directive specifies the log file, syslog facility, or piped logging utility.

Rationale:

The server access logs are invaluable for a variety of reasons. They can be used to determine what resources are being used most. Most importantly, they can be used to investigate anomalous behavior that may be an indication an attack is pending or has occurred. If the server only logs errors and does not log successful access, it is very difficult to investigate incidents. You may see that the errors stop and wonder if the attacker gave up or if the attack was successful.

Solution

Perform the following to implement the recommended state:

1. Add or modify the 'LogFormat' directives in the Apache configuration to use the combined' format show as shown below.

LogFormat '%h %l %u %t '%r' %>s %b '%{Referer}i' '%{User-agent}i'' combined

2. Add or modify the 'CustomLog' directives in the Apache configuration to use the combined format with an appropriate log file, syslog facility or piped logging utility.

CustomLog log/access_log combined

3. Add a similar 'CustomLog' directives for each virtual host configured if the virtual host will have different people responsible for the web site. Each responsible individual or organization needs access to their own web logs as well as the skills/training/tools for monitoring the logs.

See Also

https://workbench.cisecurity.org/files/2378