本文にスキップ
KYRA MDR KYRA MDR Docs

Apache Tomcat Integration

Overview

This integration collects Tomcat access logs and application logs (catalina.out) for web attack detection, session security monitoring, and application health tracking. Tomcat is the most widely used open-source Java application server in Korean SMB environments, including Spring Boot embedded Tomcat deployments.

Supported versions: Tomcat 9.x, 10.x

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • Root or sudo access on the Tomcat server
  • Network connectivity from the server to the collector on port 514

Configuration

Access Log Valve

Enable the access log valve in server.xml with response time tracking:

server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve"
       directory="logs" prefix="access_log" suffix=".log"
       pattern="%h %l %u %t &quot;%r&quot; %s %b %D" />

The %D pattern records response time in milliseconds for slow-response detection.

rsyslog File Monitoring

Forward Tomcat logs to the collector via rsyslog:

/etc/rsyslog.d/tomcat.conf
module(load="imfile")
input(type="imfile" File="/opt/tomcat/logs/access_log.*.log" Tag="tomcat-access" Facility="local0")
input(type="imfile" File="/opt/tomcat/logs/catalina.out" Tag="tomcat-app" Facility="local0")
local0.* @@KYRA_COLLECTOR_IP:514

Restart rsyslog: sudo systemctl restart rsyslog

Spring Boot Syslog Appender (Optional)

For Spring Boot applications, add a syslog appender in logback-spring.xml:

<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>KYRA_COLLECTOR_IP</syslogHost>
    <port>514</port>
    <facility>LOCAL0</facility>
</appender>

Collected Log Types

Log TypeSecurity UsePriority
Access logsSQL injection, XSS, path traversal detectionCritical
Authentication failuresBrute force on login endpoints (401/403)High
Manager/host-manager accessAdmin console attack attemptsCritical
File uploadsWeb shell upload detection (.jsp/.war)Critical
Application exceptionsJava deserialization attacks, DoS indicatorsHigh
Response time anomaliesSlow HTTP DoS detection (%D > 5000ms)Medium

Troubleshooting

No Logs Received

  1. Verify the AccessLogValve is enabled in server.xml
  2. Check the Tomcat log directory path in your rsyslog configuration
  3. Ensure port 514 is open between the server and collector
  4. Restart rsyslog after config changes: sudo systemctl restart rsyslog

Missing Response Times

  • Ensure the %D pattern is included in the AccessLogValve pattern attribute
  • Response time data is required for slow HTTP attack detection

For additional help, contact kyra@seekerslab.com.