You can configure your Apache HTTP Server to forward events with the syslog
protocol.
About this task
The following procedure applies to Apache DSMs operating on most UNIX or Linux® operating systems. Check
your vendor's documentation for more information about configuring the server.
Procedure
-
Log in to the server that hosts Apache, as the root user.
-
Edit the Apache configuration file httpd.conf.
-
Add the following information in the Apache configuration file to specify
the custom log format:
LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" <log format
name>
Where <log format name> is a variable name you provide to define the log
format.
-
Add the following information in the Apache configuration file to specify a
custom path for the syslog events:
CustomLog "|/usr/bin/logger -t httpd -p
<facility>.<priority>" <log format
name>
Where:
-
<facility> is a syslog facility, for example, local0.
-
<priority> is a syslog priority, for example, info or notice.
-
<log format name> is a variable name that you provide to define the custom
log format. The log format name must match the log format name that is defined in Step 3.
For example,
CustomLog "|/usr/bin/logger -t httpd -p local1.info" MyApacheLogs
-
Type the following command to disable hostname lookup:
-
Save the Apache configuration file.
-
Edit the syslog configuration file.
-
Add the following information to your syslog configuration file:
<facility>.<priority>
<TAB><TAB>@<host>
Where:
- <facility> is the syslog facility, for example, local0. This value must
match the value that you typed in Step 4.
- <priority> is the syslog priority, for example, info or notice. This value
must match the value that you typed in Step 4.
<TAB>
indicates you must press the Tab key.
- <host> is the IP address of the QRadar
Console or Event Collector.
-
Save the syslog configuration file.
-
Type the following command to restart the syslog service:
/etc/init.d/syslog restart
-
Restart Apache to complete the syslog configuration.
The configuration is complete. The log source is added to QRadar as syslog events from
Apache HTTP Servers are automatically discovered. Events that are forwarded to QRadar by Apache HTTP Servers are
displayed on the Log Activity tab of QRadar.