Configuring Apache HTTP Server with syslog

You can configure your Apache HTTP Server to forward events with the syslog protocol.

About this task

The following procedure applies to Apache DSMs operating on most UNIX or Linux® operating systems. Check your vendor's documentation for more information about configuring the server.

Procedure

  1. Log in to the server that hosts Apache, as the root user.
  2. Edit the Apache configuration file httpd.conf.
  3. Add the following information in the Apache configuration file to specify the custom log format:

    LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" <log format name>

    Where <log format name> is a variable name you provide to define the log format.

  4. Add the following information in the Apache configuration file to specify a custom path for the syslog events:

    CustomLog "|/usr/bin/logger -t httpd -p <facility>.<priority>" <log format name>

    Where:

    • <facility> is a syslog facility, for example, local0.

    • <priority> is a syslog priority, for example, info or notice.

    • <log format name> is a variable name that you provide to define the custom log format. The log format name must match the log format name that is defined in Step 3.

    For example,

    CustomLog "|/usr/bin/logger -t httpd -p local1.info" MyApacheLogs

  5. Type the following command to disable hostname lookup:

    HostnameLookups off

  6. Save the Apache configuration file.
  7. Edit the syslog configuration file.

    /etc/syslog.conf

  8. Add the following information to your syslog configuration file:

    <facility>.<priority> <TAB><TAB>@<host>

    Where:

    • <facility> is the syslog facility, for example, local0. This value must match the value that you typed in Step 4.
    • <priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.
    • <TAB> indicates you must press the Tab key.
    • <host> is the IP address of the QRadar Console or Event Collector.
  9. Save the syslog configuration file.
  10. Type the following command to restart the syslog service:

    /etc/init.d/syslog restart

  11. Restart Apache to complete the syslog configuration.

    The configuration is complete. The log source is added to QRadar as syslog events from Apache HTTP Servers are automatically discovered. Events that are forwarded to QRadar by Apache HTTP Servers are displayed on the Log Activity tab of QRadar.