Table of Contents:
This article covers how to send logs from Apache by using rsyslog for Ubuntu based systems to Chronicle.
Configuring Apache HTTP Server with syslog
This guide explains how to send events from Apache by using rsyslog for Ubuntu based systems.
- Create a file under /etc/rsyslog.d/ named 02-apache2.conf:
vim /etc/rsyslog.d/02-apache2.conf
2. Add the following code block to the file:
module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
input(type="imfile"
File="/var/log/apache2/access.log"
Tag="http_access"
Severity="info"
Facility="local6")
Local6.info @<Forwarder IP>:11534
module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
input(type="imfile"
File="/var/log/apache2/error.log"
Tag="http_error"
The following is an explanation of the fields in the file:
1) module line:
- load: Specifies the RSyslog module to load, which in this case is the imfile module for converting files to syslog.
- PollingInterval: Specifies how often the file is read for new data. Avoid setting this parameter to 0 or you risk overloading your system CPU.
- statefile.directory: Specifies a dedicated directory for the storage of imfile state files. To verify whether this directory exists on your deployment (any directory can be used), you can run the following command:
- ls /var/spool/rsyslog/
2) input lines
- type: Specifies the type of the module, in this case the imfile for converting these logs to a usable format.
- File: Specifies the file to be polled, all Apache2 logs are stored under /var/log/apache2.
- Tag: Configures a field at the start of your log source, and can be used as your LSI.
- Severity: Syslog severity to be assigned to lines read from the file, for access logs you want "info".
- Facility: Syslog facility to be assigned to messages read from the file specified.
- The last line specifies that these log lines are forwarded to your Chronicle Instance.
- Restart RSyslog services.
- service rsyslog restart
- service rsyslog status
You will receive events to your Chronicle Instance like below.
Sample Logs
The following are the logs that Apache send to Chronicle.
<13>Jul 5 21:01:16 ip-192-168-1-1 ip-192-168-1-1.ap-south-1.compute.internal:443 0.0.0.0 - -
[05/Jul/2023:21:01:15 +0000] "POST /wp-cron.php?doing_wp_cron=1688590975.2544340602874755859375
HTTP/1.1" 200 6521 "-" "WordPress/6.2.2; https://www.contoso.com"
Comments
0 comments
Please sign in to leave a comment.