IBM Support

QRadar: How to configure RSyslog on Ubuntu to forward Apache HTTP Access Logs

How To


Summary

This guide explains how to send events from Apache by using rsyslog for Ubuntu based systems.

Steps

  1. Create a file under /etc/rsyslog.d/ named 02-apache2.conf:
    vim /etc/rsyslog.d/02-apache2.conf
  2. Add the following code block to the file:
    module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
    input(type="imfile"
          File="/var/log/apache2/access.log"
          Tag="http_access"
          Severity="info"
          Facility="local1")
    local1.error        @<QRadar IP>:514
    The following is an explanation of the fields in the file:
    • module line
      • load: Specifies the RSyslog module to load, which in this case is the imfile module for converting files to syslog.
      • PollingInterval: Specifies how often the file is read for new data. Avoid setting this parameter to 0 or you risk overloading your system CPU.
      • statefile.directory: Specifies a dedicated directory for the storage of imfile state files. To verify whether this directory exists on your deployment (any directory can be used), you can run the following command:
        ls /var/spool/rsyslog/
    • input lines
      • type: Specifies the type of the module, in this case the imfile for converting these logs to a usable format.
      • File: Specifies the file to be polled, all Apache2 logs are stored under /var/log/apache2.
      • Tag: Configures a field at the start of your log source, and can be used as your LSI.
      • Severity: Syslog severity to be assigned to lines read from the file, for access logs you want "info".
      • Facility: Syslog facility to be assigned to messages read from the file specified.
    • The last line specifies that these log lines are forwarded to your QRadar server.
  3. Restart RSyslog.
    systemctl restart rsyslog
    Note: If the log source is auto discovered as a LinuxOS log source, simply change the type to Apache HTTP logs and the protocol as syslog.
Results
You receive events to your QRadar console.  

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQNH","label":"IBM Security QRadar Log Manager"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
23 May 2022

UID

ibm16587382