The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
This content pack is designed for Caddy Webservers running on Ubuntu systems. It parses Caddy access logs.
Supported Version(s)
-
Tested with Caddy version 2.7.x
Requirements
-
The supported log delivery is via Filebeat with Graylog Sidecar.
-
The pack only supports Ubuntu and Linux versions with the same path and file structure.
-
The pack only supports the standard log folder for Ubuntu.
Stream Configuration
This technology pack includes one stream:
-
"Illuminate:Caddy Webserver Messages"
Index Set Configuration
This technology pack includes one index set definition:
-
“Caddy Webserver Logs”
What is Provided?
-
Parsing rules to extract Caddy Webserver logs into Graylog schema-compatible fields. Caddy Webserver logs receive the GIM code
180200(http.communication).
Log Format Example
Access Logs
"level":"info","ts":1743966522.1211624,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.156.55","remote_port":"60128","client_ip":"192.168.156.34","proto":"HTTP/1.1","method":"GET","host":"20.20.232.216:80","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46"],"Accept-Encoding":["gzip, deflate","gzip, deflate"],"Connection":["keep-alive"],"Content-Type":["application/x-www-form-urlencoded; charset=UTF-8"],"Accept":["/"],"X-Requested-With":["XMLHttpRequest"],"Accept-Language":["en US,en;q=0.9,sv;q=0.8"]}},"bytes_read":110,"user_id":"","duration":0.000018081,"size":20,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://20.20.222.216/"],"Content-Type":[]}
Input via Filebeat together with Graylog Sidecar
Please use the official Graylog Sidecar documentation to configure your Graylog server and your client(s).
-
Create an input and an API key and set up Graylog Sidecar.
-
Add your client(s), e.g. web server.
Graylog Server Settings
1. Create a global Beats input in Graylog.
2. Create a Graylog REST API access token and save it.
3. Create a (Linux) filebeat configuration under Sidercar > Configuration with a "Filebeat on Linux" collector.
4. Configure the file and add:
-
The correct IP (Graylog server IP) under hosts.
-
The log source configured to the desired value and a field
event_source_productwith the valuecaddy_webserver.
filebeat.inputs:
- input_type: log
paths:
- /var/log/caddy/*
type: filestream
fields_under_root: true
fields:
event_source_product: caddy_webserver
event_source_product and - /var... .
This setting will pull all logs in the - /var/log/caddy/* folder. If needed, adjust the Caddy configuration file to store the logs locally and chose the wanted path.
5. Finally, save the configuration to complete setup.
Configure a Client with Filebeat and Graylog Sidecar
1. Install Sidecar on the remote machine.
wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-5_all.deb
sudo dpkg -i graylog-sidecar-repository_1-5_all.deb
sudo apt-get update && sudo apt-get install graylog-sidecar2. Edit the /etc/graylog/sidecar/sidecar.yml file and configure:
-
server_url: GraylogServerIP -
server_api_token: Your API token
sudo gedit /etc/graylog/sidecar/sidecar.yml
server_url: "http://192.168.122.52:9000/api/"
server_api_token: "65ol7edseo24mub8o7pu86h2rsr8j9fjjpimtrm9nrpbjso7cnv"
3. Install, enable, and verify the Sidecar service.
sudo graylog-sidecar -service install
sudo systemctl enable graylog-sidecar
sudo systemctl start graylog-sidecar
sudo systemctl status graylog-sidecar
4. Install filebeats according to the documentation. Or, here is the download link for the OSS version.
-
If you install it manually, install it again under
/etc/filebeat. -
If you install it via
apt-get, then it is in the correct folder.
Example commands for Ubuntu:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install filebeat
sudo systemctl enable filebeat
sudo systemctl start filebeat
sudo systemctl status filebeat5. (Optional) Edit the filebeat.yml file as needed. You do this via the Sidecar configuration in the Graylog interface.
6. Start the deamon.
7. If there is a permission issue, you can resolve with:
sudo chown root filebeat.yml8. In Graylog, assign a configuration to your machine.
Field Mapping
| Illuminate Field | Vendor Field |
|---|---|
vendor_event_severity
|
level |
vendor_event_description
|
msg |
vendor_logger
|
logger |
vendor_event_duration
|
duration |
source_bytes_sent
|
size |
destination_bytes_sent
|
bytes_read |
vendor_ts
|
ts |
http_response_code
|
status |
user_id
|
user_id |
vendor_resp_headers_connection
|
resp_headers.Connection |
vendor_resp_headers_content_type
|
resp_headers.Content-Type |
vendor_resp_headers_location
|
resp_headers.Location |
vendor_resp_headers_server
|
resp_headers.Server |
vendor_resp_headers_alt_svc
|
resp_headers.Alt-Svc |
vendor_resp_headers_content_encoding
|
resp_headers.Content-Encoding |
vendor_resp_headers_content_security_policy
|
resp_headers.Content-Security-Policy |
vendor_resp_headers_xcontent_type_options
|
resp_headers.X-Content-Type-Options |
vendor_resp_headers_xframe_options
|
resp_headers.X-Frame-Options |
vendor_resp_headers_xgraylog_node_id
|
resp_headers.X-Graylog-Node-Id |
vendor_resp_headers_xua_compatible
|
resp_headers.X-Ua-Compatible |
vendor_resp_headers_xruntime_microseconds
|
resp_headers.X-Runtime-Microseconds |
vendor_resp_headers_content_length
|
resp_headers.Content-Length |
source_ip
|
request.client_ip |
http_host
|
request.host |
http_request_method
|
request.method |
vendor_http_version
|
request.proto |
network_forwarded_ip
|
request.remote_ip |
source_port
|
request.remote_port |
http_request_path
|
request.uri |
vendor_headers_accept
|
request.headers.Accept |
vendor_headers_accept_encoding
|
request.headers.Accept-Encoding |
vendor_headers_accept_language
|
request.headers.Accept-Language |
vendor_headers_cache_control
|
request.headers.Cache-Control |
vendor_headers_connection
|
request.headers.Connection |
vendor_headers_content_type
|
request.headers.Content-Type |
vendor_headers_cookie
|
request.headers.Cookie |
vendor_headers_priority
|
request.headers.Priority |
vendor_headers_xgraylog_no_session_extension
|
request.headers.X-Graylog-No-Session-Extension |
vendor_headers_sec_ch_ua
|
request.headers.Sec-Ch-Ua |
vendor_headers_sec_ch_ua_mobile
|
request.headers.Sec-Ch-Ua-Mobile |
vendor_headers_sec_ch_ua_platform
|
request.headers.Sec-Ch-Ua-Platform |
vendor_headers_sec_fetch_dest
|
request.headers.Sec-Fetch-Dest |
vendor_headers_sec_fetch_mode
|
request.headers.Sec-Fetch-Mode |
vendor_headers_sec_fetch_site
|
request.headers.Sec-Fetch-Site |
vendor_headers_sec_gpc
|
request.headers.Sec-Gpc |
http_referrer
|
request.headers.Referer |
http_user_agent
|
request.headers.User-Agent |
vendor_headers_xrequested_with
|
request.headers.X-Requested-With |
vendor_request_tls_cipher_suite
|
request.tls.cipher_suite |
vendor_request_tls_proto
|
request.tls.proto |
vendor_request_tls_resumed
|
request.tls.resumed |
vendor_request_tls_server_name
|
request.tls.server_name |
vendor_request_tls_version
|
request.tls.version |
vendor_extra_relation_index
|
extra.relation_index |
Caddy Webserver Spotlight Content Pack
Caddy Webserver offers a dashboard with one tab: Caddy Webserver Overview
Caddy Webserver Overview Tab
