apache/http-server Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Reading time: 13 minutes

apache/http-server Dashboards

Error log analysis

Widget	Description	Type
Top 5 clients associated with error events	Which are the top client IP addresses that appear in error log events (var/log/apache2/error.log) Hide Query Show Query logscale `#logtype = "apache-error-log" \| in(field=log_level, values=["emerg", "crit", "alert", "error"]) \| default(field=client_ip, value="unknown", replaceEmpty=true) \| timeChart(client_ip, limit=5) // Top 5 clients causing errors`	`Time Chart`
Top error messages	List of error messages (from var/log/apache2/error.log) sorted by greatest number of occurrences of each message. NB some error log message types contain server/host specific information. Hide Query Show Query logscale `#logtype = "apache-error-log" \| log_level = ?{log_level=*} \| top(error_message, as="count") // Top 10 messages in error logs`	`Table`
Error log levels over time	Volume of error logs by log type over time (from var/log/apache2/error.log) Hide Query Show Query logscale `#logtype = "apache-error-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server Parameter \| timechart(log_level) // Displays log levels over time`	`Time Chart`
Critical errors	The most common `emerg`, `crit` or `alert` error messages with server name, error message and the number of instances of this message (from var/log/apache2/error.log) Hide Query Show Query logscale `#logtype = "apache-error-log" \| in(field=log_level, values=["emerg", "crit", "alert"]) // critical log levels \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} \| top([server_name, log_level, error_message], limit=200, as="count")`	`Table`
Top 5 servers that are associated with error events	Which are the server names that appear in error log events (var/log/apache2/error.log) Hide Query Show Query logscale `#logtype = "apache-error-log" \| in(field=log_level, values=["emerg", "crit", "alert", "error"]) \| default(field=server_name, value="unknown", replaceEmpty=true) \| timeChart(server_name, limit=5)`	`Time Chart`
Client locations associated with critical errors	Location of client IPs that are associated with error log events of type emerg, crit or alert (from var/log/apache2/error.log). Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-error-log" \| in(field=log_level, values=["emerg", "crit", "alert"]) // critical log levels \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server Parameter \| worldMap(ip = client_ip)`	`World Map`

HTTP errors

Widget	Description	Type
Top clients causing 4xx errors	Which client IPs are causing the most 4XX errors Hide Query Show Query logscale `#logtype = "apache-access-log" \| status_code = 4* \| timeChart(client_ip, limit=5) // Displays the top 5 clients with 4xx status codes over time`	`Time Chart`
HTTP errors over time	Volume of server and client errors over time Hide Query Show Query logscale `#logtype = "apache-access-log" \| status_code >= 400 \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=} // Server parameter \| case { status_code = 5 \| error_type := "Server error"; status_code = 4* \| error_type := "Client error"; } \| timechart(error_type) // Displays the error_type assigned over time`	`Time Chart`
Top URLs with 5xx errors	The 5 URLs with the most 5XX errors over time Hide Query Show Query logscale `#logtype = "apache-access-log" \| status_code = 5* \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| timeChart(url, limit=5) // Displays the top 5 urls with maximum count of 5xx status codes over the time`	`Time Chart`
Top URLs with 4xx errors	The 5 URLs with the most 4XX errors over time Hide Query Show Query logscale `#logtype = "apache-access-log" \| status_code = 4* \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| timeChart(url, limit=5) // Displays the top 5 urls with maximum count of 4xx status codes over the time`	`Time Chart`
4xx codes by server	Number of 4XX status codes by server Hide Query Show Query logscale `#logtype = "apache-access-log" \| status_code = 4* \| default(field=server_name, value="unknown", replaceEmpty=true) \| groupby([server_name, status_code]) // Displays count of the 4xx status codes for each server`	`Bar Chart`
5xx codes by server	Number of 5XX status codes by server Hide Query Show Query logscale `#logtype = "apache-access-log" \| status_code = 5* \| default(field=server_name, value="unknown", replaceEmpty=true) \| groupby([server_name, status_code]) // Displays count of the 5xx status codes for each server`	`Bar Chart`
Client (4xx) and server (5xx) errors	Number of 4xx (client) and 5xx (server) errors Hide Query Show Query logscale `#logtype = "apache-access-log" \| status_code >= 400 \| case { status_code = 4* \| error_type := "Client error"; status_code = 5* \| error_type := "Server error"; } \| groupBy(error_type) // Displays client and server errors`	`Pie Chart`
Clients with specific 4xx errors	Which Client IPs are causing most 4XX errors with the specific error code and description Hide Query Show Query logscale `#logtype = "apache-access-log" \| client_ip = ?{client_ip=} // Client IP parameter \| status_code = 4 \| match(file="apache/http-server/status_code.csv", column="status", field="status_code", include=[status_description]) \| groupBy([client_ip, status_code , status_description], function=count(as="count")) \| sort(count) // Displays the table of client_ip, status_code, status_description(from the lookup file) with count`	`Table`

IOC matches for client IP

Widget	Description	Type
IOC geolocation	Location of client IP addresses present in IOC. Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| worldMap(ip=client_ip) // location of malicious client IP's`	`World Map`
Threat trends	Number of client IP IOC matches by confidence threshold over time Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict="true", confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| rename(field="ioc.malicious_confidence", as="iocmc") \| timechart(iocmc) // malicious confidence over time`	`Time Chart`
Threat types	Pie chart showing breakdown of threat types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^ThreatType\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Threat relationships	Links client IP IOC labels to the different values of each label Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<category>^[^\/]+)\/(?<value>.+)$") \| sankey(source="category",target="value") // threat relationships`	`Sankey`
Actors	Pie chart showing breakdown of threat actors (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Actor\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Kill chains	Pie chart showing breakdown of kill chain values (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^KillChain\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
All threat details	Detailed information of all threats found in client IPs Hide Query Show Query logscale #logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| "ioc.malicious_confidence" match { unverified => icon := "\u2139 " ; low => icon := "\u2B07 " ; medium => icon := "\u26A0 " ; high => icon := "\u2757 " ; * => icon := " " ; } // icons to display for each malicious confidence \| concat(["icon", "ioc.malicious_confidence"], as="ioc.malicious_confidence") \| now := now() \| ioc_age := now - ioc.last_updated \| formatDuration(ioc_age, precision=2, as="ioc.age") \| groupBy(["ip_addr_IOC", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"]) // // all information regarding malicious client IP's \| formatTime(field="ioc.published_date", as="ioc.published_date", format="%Y-%m-%d %H:%M:%S") \| formatTime(field="ioc.last_updated", as="ioc.last_updated", format="%Y-%m-%d %H:%M:%S")	`Table`
Malware	Pie chart showing breakdown of malware types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Malware\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
note-1624965575450	# All Details The table below shows details of all the threats found, irrespective of the threshold filter applied. Click on the various aspects of these results to drill down into the raw events	`Note`
Introduction to indicators of compromise (IOC) dashboard	Falcon LogScale includes an integration with CrowdStrike's Falcon Intelligence to provide Falcon LogScale customers with a built-in database of Indicators of Compromise (IOCs). Customers can search their logs for matches against the IOC database and see relevant threat information for each IOC found. Find out more. This dashboard takes the client_ip field from both Apache access and error logs and checks it against known IP addresses in the IOC database with the `ioc:lookup()` function.	`Note`

IOC matches for referer domain

Widget	Description	Type
IOC geolocation	Location of client IP addresses present in IOC. Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| worldMap(ip=client_ip) // location of malicious client IP's`	`World Map`
Threat types	Pie chart showing breakdown of threat types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^ThreatType\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Threat relationships	Links client IP IOC labels to the different values of each label Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<category>^[^\/]+)\/(?<value>.+)$") \| sankey(source="category",target="value") // threat relationships`	`Sankey`
Actors	Pie chart showing breakdown of threat actors (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Actor\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Kill chains	Pie chart showing breakdown of kill chain values (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^KillChain\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
All threat details	Detailed information of all threats found in client IPs Hide Query Show Query logscale #logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| "ioc.malicious_confidence" match { unverified => icon := "\u2139 " ; low => icon := "\u2B07 " ; medium => icon := "\u26A0 " ; high => icon := "\u2757 " ; * => icon := " " ; } // icons to display for each malicious confidence \| concat(["icon", "ioc.malicious_confidence"], as="ioc.malicious_confidence") \| now := now() \| ioc_age := now - ioc.last_updated \| formatDuration(ioc_age, precision=2, as="ioc.age") \| groupBy(["ip_addr_IOC", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"]) // // all information regarding malicious client IP's \| formatTime(field="ioc.published_date", as="ioc.published_date", format="%Y-%m-%d %H:%M:%S") \| formatTime(field="ioc.last_updated", as="ioc.last_updated", format="%Y-%m-%d %H:%M:%S")	`Table`
Malware	Pie chart showing breakdown of malware types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Malware\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
note-1624965575450	# All Details The table below shows details of all the threats found, irrespective of the threshold filter applied. Click on the various aspects of these results to drill down into the raw events	`Note`
Introduction to indicators of compromise (IOC) dashboard	Falcon LogScale includes an integration with CrowdStrike's Falcon Intelligence to provide Falcon LogScale customers with a built-in database of Indicators of Compromise (IOCs). Customers can search their logs for matches against the IOC database and see relevant threat information for each IOC found. Find out more. This dashboard extracts the domain from the referer field of the Apache access logs and checks it against known domains in the IOC database with the `ioc:lookup()` function.	`Note`

Overview

Widget	Description	Type
Responses over time	Breakdown of response volumes by type over time Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=} // Server parameter \| case { status_code = 2 \| response := "success"; status_code = 3* \| response := "redirects"; status_code = 4* \| response := "client_errors"; status_code = 5* \| response := "server_errors"; } \| timechart(response) // Displays the responses assigned for each group of status codes over the time period`	`Time Chart`
Unique visitors	Number of unique client IPs visiting server(s) Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| timeChart(function=count(client_ip, distinct=true)) // Unique client ip's over time`	`Time Chart`
World map of visitor locations	Location of client IPs. Note location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| worldMap(ip=client_ip) // Worldmap of client locations`	`World Map`
Bytes served over time	Total volume of data served by web server(s) over time Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name = *} // Server parameter \| timeChart(function=sum(response_size))`	`Time Chart`
Bytes served by media type	Relative volume of each media type served - note media type is determined from the URL Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| regex("\\.(?<media_type>[A-Za-z]+)", field=url) \| groupBy(["media_type"], function=[sum(response_size)])`	`Pie Chart`
Requests per second for each server	Requests received per second Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| timeChart(server_name, unit="1/s")`	`Time Chart`
Bytes served by media type over time	Volume of bytes served for each media type over time. Note - media type is determined from the URL Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| regex("\\.(?<media_type>[A-Za-z]+)", field=url) \| timeChart(media_type, function=[sum(response_size)]) // media types served over time`	`Time Chart`
Bytes served	Total volume of data served by web server(s) Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=} // Server parameter \| response_size := sum(response_size) \| eval(response_size = response_size / (10241024*1000)) // converting bytes to GB`	`Single Value`
Web servers	List of all web servers Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| groupBy(server_name, function=[])`	`Table`
Total visitors	Total number of unique client IPs visiting server(s) Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} \| count("client_ip", distinct=True)`	`Single Value`

Visitor insights

Widget	Description	Type
Worldmap of visitor location	Location of client IPs. Note location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| worldMap(ip=client_ip) // Worldmap of client locations`	`World Map`
Top user agents	Top 10 user agents making any requests, irrespective of success or error Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| top(user_agent, as="count")`	`Table`
Malicious referer domains	Domains that exists in CrowdStrike's Falcon LogScale IOC database. See the 'IOC matches for referer domain' dashboard for more details Hide Query Show Query logscale `#logtype = "apache-access-log" \| regex("https?:\\/\\/(?<domain>.+?)(\\/\|\\?\|$)", field=referer) \| ioc:lookup(["domain"], type="domain", strict=true) \| timechart()`	`Single Value`
Top URLs	Most common URLs - counts only successful requests Hide Query Show Query logscale `#logtype = "apache-access-log" \| status_code = 2* \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| top(url, as="count")`	`Table`
Top referers	The sites referring visitors to your sites Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| regex("https?:\\/\\/(?<domain>.+?)(\\/\|\\?\|$)", field=referer) \| top(domain)`	`Pie Chart`
Top referers over time	The sites referring visitors to your sites Hide Query Show Query logscale `#logtype = "apache-access-log" \| default(field=server_name, value="unknown", replaceEmpty=true) \| server_name = ?{server_name=*} // Server parameter \| regex("https?:\\/\\/(?<domain>.+?)(\\/\|\\?\|$)", field=referer) \| timeChart(domain, limit=10) // Referer domains over time`	`Time Chart`
Malicious client IPs	Client IPs that exists in CrowdStrike's Falcon LogScale IOC database. See the 'IOC matches for client IP' dashboard for more details Hide Query Show Query logscale `#logtype = "apache-access-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true) \| timechart()`	`Single Value`

Enter search term