Accenture MDR Quick Start Guide for F5 Nginx

Owned by Dinesh Murugaiyan
Last updated: Feb 11, 2022
3 min read

This quick start guide will help Accenture MDR customers configure F5 Nginx to send logs to the Log collection Platform (LCP).

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

F5 Nginx server

LCP

601 (TCP)

 

Default port

 

Configuring F5 Nginx

By using this method, one can customize Nginx log format and forward syslog to LCP over TCP only.

Platforms -
CentOS/RHEL 7
Debian release 10 (buster/sid) 

Find the steps -

  • Kindly take SSH access to the Server CLI on which Nginx get deployed.

  • Configuration of rsyslog server to enable syslog reception over UDP. This is optional step and it does not get required if local syslog server has already been configured for log reception over udp.

Here we need to configure the rsyslog server to enable local syslog reception over UDP first if it does not get found enabled.
Stop rsyslog service and edit /etc/rsyslog.conf (default path for rsyslog configuration file) file to enable local syslog server reception over UDP.
Find commands.

# sudo systemctl stop rsyslog.service # sudo vi /etc/rsyslog.conf


Add the below lines in this configuration file. If you find them commented then uncomment them from the file. Save the file. 

$ModLoad imudp $UDPServerRun 514

 

Find the snapshot for your reference.

Now start rsyslog service.

# sudo systemctl start rsyslog.service

 

  • Steps to configure Nginx with custom log-format and local syslog redirection.

By default nginx.conf can be located at /etc/nginx/nginx.conf if installed through standard installation. The location depends on the package system used to install NGINX and the operating system. It is typically one of /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx.

Here we need to modify nginx.conf file to configure access log with recommended Custom Log Format and redirect both access and error logs to local rsyslog server. Execute the following commands.


Append the following lines in the http block and save the file

 

Find Snapshot.

Note that the above configuration should be appended in the http directive config block only to declare it as default logging configuration for all servers served by nginx. Any other log configurations appended to the other directives config blocks such as server or location could rule out the default configuration which we have followed here. 

Although this configuration can also be appended under server or location directives config blocks to get logs from that config blocks only; which further depends on customer’s requirements.


Now start the Nginx service. This will forward Nginx logs to the local rsyslog server.

 

  • Redirect Nginx logs to LCP.

Now create a new configuration file under /etc/rsyslog.d/. Ensure that it should start with prefix as 99. For an example, create a new file named 99-lcp.conf under /etc/rsyslog.d path.  Find Commands.


Paste the following lines and save the file. This configuration will forward logs to LCP over TCP Protocol.


Start rsyslog service.

LCP Configuration Parameters

Table 1-2: The F5 Nginx event collector (Syslog -3964) properties to be configured by Accenture are given in the table.

Property

Default Value

Description

Protocol                      

TCP

Device only support logs to be shared over TCP.

IP  Address

*

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security Onboarding team.

Signatures    

nginx_accesslogs,nginx:

Accenture Security recommended signatures processed by the F5 Nginx event collector.

Port Number    

601

Default port number for TCP.

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.