Configuring Apache HTTP Server with syslog-ng

You can configure your Apache HTTP Server to forward events with the syslog-ng protocol.


  1. Log in to the server that hosts Apache, as the root user.
  2. Edit the Apache configuration file.


  3. Add the following information to the Apache configuration file to specify the LogLevel:

    LogLevel info

    The LogLevel might already be configured to the info level; it depends on your Apache installation.

  4. Add the following to the Apache configuration file to specify the custom log format:

    LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" <log format name>

    Where <log format name> is a variable name you provide to define the custom log format.

  5. Add the following information to the Apache configuration file to specify a custom path for the syslog events:

    CustomLog "|/usr/bin/logger -t 'httpd' -u /var/log/httpd/apache_log.socket" <log format name>

    The log format name must match the log format name that is defined in Step 4.

  6. Save the Apache configuration file.
  7. Edit the syslog-ng configuration file.


  8. Add the following information to specify the destination in the syslog-ng configuration file:
    source s_apache {
    destination auth_destination { <udp|tcp> ("<IP address>" port(514)); };

    <IP address> is the IP address of the QRadar® Console or Event Collector.

    <udp|tcp> is the protocol that you select to forward the syslog event.

  9. Save the syslog-ng configuration file.
  10. Type the following command to restart syslog-ng:

    service syslog-ng restart

  11. You can now configure the log source in QRadar.

    The configuration is complete. The log source is added to QRadar as syslog events from Apache HTTP Servers are automatically discovered. Events that are forwarded to QRadar by Apache HTTP Servers are displayed on the Log Activity tab of QRadar.