Configuring Apache HTTP Server with syslog
This guide explains how to send events from Apache by using rsyslog for Ubuntu based systems.
- Create a file under /etc/rsyslog.d/ named 02-apache2.conf:
vim /etc/rsyslog.d/02-apache2.conf
2. Add the following code block to the file:
module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
input(type="imfile"
File="/var/log/apache2/access.log"
Tag="http_access"
Severity="info"
Facility="local6")
Local6.info @<Forwarder IP>:11534
module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
input(type="imfile"
File="/var/log/apache2/error.log"
Tag="http_error"
The following is an explanation of the fields in the file:
1) module line:
- load: Specifies the RSyslog module to load, which in this case is the imfile module for converting files to syslog.
- PollingInterval: Specifies how often the file is read for new data. Avoid setting this parameter to 0 or you risk overloading your system CPU.
- statefile.directory: Specifies a dedicated directory for the storage of imfile state files. To verify whether this directory exists on your deployment (any directory can be used), you can run the following command:
- ls /var/spool/rsyslog/
2) input lines
- type: Specifies the type of the module, in this case the imfile for converting these logs to a usable format.
- File: Specifies the file to be polled, all Apache2 logs are stored under /var/log/apache2.
- Tag: Configures a field at the start of your log source, and can be used as your LSI.
- Severity: Syslog severity to be assigned to lines read from the file, for access logs you want "info".
- Facility: Syslog facility to be assigned to messages read from the file specified.
- The last line specifies that these log lines are forwarded to your Chronicle Instance.
- Restart RSyslog services.
- service rsyslog restart
- service rsyslog status
You will receive events to your Chronicle Instance like below.
Sample Logs
The following are the logs that Apache send to Chronicle.
<13>Jul 5 21:01:16 ip-192-168-1-1 ip-192-168-1-1.ap-south-1.compute.internal:443 0.0.0.0 - -
[05/Jul/2023:21:01:15 +0000] "POST /wp-cron.php?doing_wp_cron=1688590975.2544340602874755859375
HTTP/1.1" 200 6521 "-" "WordPress/6.2.2; https://www.contoso.com"
Comments
0 comments
Please sign in to leave a comment.