Caddy Web Server Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

This content pack is designed for Caddy web server running on Ubuntu systems. It parses Caddy web server access logs.

Supported Versions

  • Caddy web server version 2.7.x

Requirements

  • The supported log delivery is via Filebeat with Graylog Sidecar.

  • The pack only supports Ubuntu and Linux versions with the same path and file structure.

  • The pack only supports the standard log folder for Ubuntu.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Caddy Webserver Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Caddy Webserver Logs"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Input via Filebeat and Graylog Sidecar

Please use the official Graylog Sidecar documentation to configure your Graylog server and your client(s).

  1. Create an input and an API key and set up Graylog Sidecar.

  2. Add your client(s), e.g. web server.

Hint: It is possible to run the Caddy web server and Graylog on the same machine.

Graylog Server Settings

  1. Create a global Beats input in Graylog.

  2. Create a Graylog REST API access token and save it.

  3. Create a (Linux) filebeat configuration under Sidercar > Configuration with a Filebeat on Linux collector.

  4. Configure the file and add:

    • The correct IP address (Graylog server) under hosts.

    • The log source configured to the desired value and a field event_source_product with the value caddy_webserver.

    • This path setting pulls all logs in the - /var/log/caddy/* folder. Adjust the Caddy web server configuration file to store the logs locally and choose the required path, if necessary.

    Copy
    filebeat.inputs:
                        - input_type: log
                        paths:
                          - /var/log/caddy/*
                        type: filestream
                        fields_under_root: true
                        fields:
                          event_source_product: caddy_webserver

    Warning: There must be two spaces in front of event_source_product and - /var... .

  5. Save the configuration to complete setup.

Configure a Client with Filebeat and Graylog Sidecar

  1. Install Sidecar on the remote machine.

    Copy
    wget
                        https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-5_all.deb
                        sudo dpkg -i graylog-sidecar-repository_1-5_all.deb
                        sudo apt-get update && sudo apt-get install graylog-sidecar
  2. Edit the /etc/graylog/sidecar/sidecar.yml file and configure:

    • server_url GraylogServerIP

    • server_api_token: Your API token

    Copy
    sudo gedit /etc/graylog/sidecar/sidecar.yml
                        server_url: "http://192.168.122.52:9000/api/"
                        server_api_token: "65ol7edseo24mub8o7pu86h2rsr8j9fjjpimtrm9nrpbjso7cnv"
  3. Install, enable, and verify the Sidecar service.

    Copy
    sudo graylog-sidecar -service install
                        sudo systemctl enable graylog-sidecar
                        sudo systemctl start graylog-sidecar
                        sudo systemctl status graylog-sidecar
  4. Install Filebeat according to the documentation. Or, here is the download link for the OSS version.

    • If you install it manually, install it again under /etc/filebeat.

    • If you install it via apt-get, then it is in the correct folder.

  5. Example commands for Ubuntu:

    Copy
    wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key
                        add -
                        sudo apt-get install apt-transport-https
                        echo "deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main" | sudo tee -a
                        /etc/apt/sources.list.d/elastic-8.x.list
                        sudo apt-get update && sudo apt-get install filebeat
                        sudo systemctl enable filebeat
                        sudo systemctl start filebeat
                        sudo systemctl status filebeat
  6. (Optional) Edit the filebeat.yml file as needed. You do this via the Sidecar configuration in the Graylog interface.

  7. Start the deamon.

  8. If there is a permission issue, you can resolve with:

    Copy
    sudo chown root filebeat.yml
  9. In Graylog, assign a configuration to your machine

Warning: This pack was tested on Ubuntu and may not work as designed with other Linux-based systems due to different path and file names.

Log Format Example

Access Logs

"level":"info","ts":1743966522.1211624,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.156.55","remote_port":"60128","client_ip":"192.168.156.34","proto":"HTTP/1.1","method":"GET","host":"20.20.232.216:80","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46"],"Accept-Encoding":["gzip, deflate","gzip, deflate"],"Connection":["keep-alive"],"Content-Type":["application/x-www-form-urlencoded; charset=UTF-8"],"Accept":["/"],"X-Requested-With":["XMLHttpRequest"],"Accept-Language":["en US,en;q=0.9,sv;q=0.8"]}},"bytes_read":110,"user_id":"","duration":0.000018081,"size":20,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://20.20.222.216/"],"Content-Type":[]}

What Is Provided

  • Parsing rules to extract Caddy web server access and error logs into Graylog schema-compatible fields.

  • GIM categorization for both access and error logs as 180200 (http communication) with Security Core enforcement fields.

GIM Categorization

GIM categorization is provided for the following messages:

Message Type gim_event_type_code gim_event_category gim_event_class gim_event_subcategory gim_event_type
Access Logs 180200 http protocol http.communication http communication
Error Logs 180200 http protocol http.communication http communication

Message Fields Included in This Pack

Parsed Fields

The following fields are extracted and normalized from Caddy web server access logs.

Field Name Example Value Field Type Description
destination_bytes_sent 10 long Bytes read from the client request body
event_source_product caddy_webserver string Illuminate product identifier
host_ip 20.20.232.216 ip Destination host IP address
host_port 80 long Destination host port
http_host 20.20.232.216:80 string HTTP host header value
http_request_method GET string HTTP request method
http_request_path / string HTTP request URI path
http_response Permanent Redirect string HTTP response status text
http_response_class redirection messages string HTTP response class category
http_response_code 308 long HTTP response status code
http_user_agent Mozilla/5.0 ... string HTTP User-Agent header
http_version 1.1 string HTTP protocol version
network_forwarded_ip 192.168.156.34 ip Forwarded client IP address
network_protocol http string Network protocol
source_bytes_sent 20 long Response body size in bytes
source_ip 192.168.156.34 ip Client IP address
source_port 60128 long Client source port
source_reference 192.168.156.34 string Source reference derived from source_ip
vendor_event_description handled request string Caddy log message
vendor_event_duration 0.000018081 double Request processing duration in seconds
vendor_event_severity info string Caddy log level
vendor_logger http.log.access string Caddy logger name
vendor_ts 1743966522.121 double Caddy event timestamp

Field Mapping

Caddy Web Server Content Pack

This spotlight offers a dashboard with 1 tab:

Overview