Apache logs to Chronicle

  • Updated

    Configuring Apache HTTP Server with syslog

    This guide explains how to send events from Apache by using rsyslog for Ubuntu based systems.

    1. Create a file under /etc/rsyslog.d/ named 02-apache2.conf:
    vim /etc/rsyslog.d/02-apache2.conf

    2. Add the following code block to the file:

    module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
    input(type="imfile"
             File="/var/log/apache2/access.log"
             Tag="http_access"
             Severity="info"
             Facility="local6")
    Local6.info        @<Forwarder IP>:11534
    module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
    input(type="imfile"
             File="/var/log/apache2/error.log"
             Tag="http_error"

    Picture16.png

    The following is an explanation of the fields in the file:

    1) module line:

    • load: Specifies the RSyslog module to load, which in this case is the imfile module for converting files to syslog.
    • PollingInterval: Specifies how often the file is read for new data. Avoid setting this parameter to 0 or you risk overloading your system CPU.
    • statefile.directory: Specifies a dedicated directory for the storage of imfile state files. To verify whether this directory exists on your deployment (any directory can be used), you can run the following command:
      • ls /var/spool/rsyslog/

    2) input lines

    • type: Specifies the type of the module, in this case the imfile for converting these logs to a usable format.
    • File: Specifies the file to be polled, all Apache2 logs are stored under /var/log/apache2.
    • Tag: Configures a field at the start of your log source, and can be used as your LSI.
    • Severity: Syslog severity to be assigned to lines read from the file, for access logs you want "info".
    • Facility: Syslog facility to be assigned to messages read from the file specified.
    • The last line specifies that these log lines are forwarded to your Chronicle Instance.
    • Restart RSyslog services.
      • service rsyslog restart
      • service rsyslog status

    You will receive events to your Chronicle Instance like below.

    Picture17.png

    Picture18.png

    Sample Logs

    The following are the logs that Apache send to Chronicle.

    <13>Jul 5 21:01:16 ip-192-168-1-1 ip-192-168-1-1.ap-south-1.compute.internal:443 0.0.0.0 - - 
    [05/Jul/2023:21:01:15 +0000] "POST /wp-cron.php?doing_wp_cron=1688590975.2544340602874755859375 
    HTTP/1.1" 200 6521 "-" "WordPress/6.2.2; https://www.contoso.com"

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.