You can configure your Apache HTTP Server to forward events with the syslog connector.
About this task
The following procedure applies to Apache data source types operating on most UNIX or Linux® operating systems. Check your vendor's documentation for
more information about configuring the server.
Procedure
-
Log in to the server that hosts Apache, as the root user.
-
Edit the Apache configuration file httpd.conf.
-
Add the following information in the Apache configuration file to specify
the custom log format:
LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" <log format
name>
Where <log format name> is a variable name you provide to define the log
format.
-
Add the following information in the Apache configuration file to specify a
custom path for the syslog events:
CustomLog "|/usr/bin/logger -t httpd -p
<facility>.<priority>" <log format
name>
Where:
-
<facility> is a syslog facility, for example, local0.
-
<priority> is a syslog priority, for example, info or notice.
-
<log format name> is a variable name that you provide to define the custom
log format. The log format name must match the log format name that is defined in Step 3.
For example,
CustomLog "|/usr/bin/logger -t httpd -p local1.info" MyApacheLogs
-
Type the following command to disable hostname lookup:
-
Save the Apache configuration file.
-
Edit the syslog configuration file.
-
Add the following information to your syslog configuration file:
<facility>.<priority>
<TAB><TAB>@<host>
Where:
- <facility> is the syslog facility, for example, local0. This value must
match the value that you typed in Step 4.
- <priority> is the syslog priority, for example, info or notice. This value
must match the value that you typed in Step 4.
<TAB> indicates you must press the Tab key. - <host> is the IP address of the QRadar® product
-
Save the syslog configuration file.
-
Type the following command to restart the syslog service:
/etc/init.d/syslog restart
-
Restart Apache to complete the syslog configuration.