IBM Support

QRadar: How to configure RSyslog on Ubuntu to forward Apache HTTP Access Logs

How To


Summary

This guide explains how to send events from Apache by using RSyslog for Ubuntu-based systems by using the imfile module. This module converts any standard text file into a syslog message.

Steps

Before we begin
Administrators run the following steps to validate the version of the RSyslog from the Linux command line:
  1. Use SSH to log in to the remote host.
  2. Use dpkg to check the version of the package:
    dpkg -l rsyslog
    Output example:
    root@ubuntu:~# dpkg -l rsyslog
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name           Version             Architecture Description
    +++-==============-===================-============-=========================================
    ii  rsyslog        8.2112.0-2ubuntu2.2 amd64        reliable system and kernel logging daemon
    
    Result
    Administrator confirmed the version of the RSyslog package

Resolving the problem
Administrators run the following steps to forward events from Apache by using RSyslog with the imfile module:
Note: The configuration is based on the official documentation for RSyslog version 8. For more information about the imfile module, see RSyslog Documentation - imfile module.
  1. Use SSH to log in to the remote host.
  2. Create a file under /etc/rsyslog.d/ named 02-apache2.conf:
    vim /etc/rsyslog.d/02-apache2.conf
  3. Add the following code block to the file:
    module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
    input(type="imfile"
          File="/var/log/apache2/access.log"
          Tag="http_access"
          Severity="info"
          Facility="local1")
    local1.info        @<QRadar IP>:514
    See the following explanation:
    • module line:
      • load: Specifies the RSyslog module to load, which in this case is the imfile module for converting files to syslog.
      • PollingInterval: Specifies how often the file is read for new data. Avoid setting this parameter to 0 or you risk overloading your system CPU.
      • statefile.directory: Specifies a dedicated directory for the storage of imfile state files. To verify whether this directory exists on your deployment (any directory can be used), you can run the following command:
        ls /var/spool/rsyslog/
    • input line:
      • type: Specifies the type of the module, in this case the imfile for converting these logs to a usable format.
      • File: Specifies the file to be polled, all Apache2 logs are stored under /var/log/apache2. For error logs, use error.log instead of access.log.
      • Tag: Configures a field at the start of your log source, and can be used as your LSI.
      • Severity: Syslog severity to be assigned to lines read from the file, for access logs you want "info".
      • Facility: Syslog facility to be assigned to messages read from the file specified.
    • The last line specifies that these log lines are forwarded to your QRadar server. Note that local1.info can be replaced to match the format of <Facility>.<Severity>
  4. Save and exit the file.
  5. Run the following command to verify the configuration:
    rsyslogd -N1 -f /etc/rsyslog.d/02-apache2.conf
    Note: If you see only the message "message rsyslogd: End of config validation run. Bye.", restart the RSyslog service.
  6. Restart the RSyslog service:
    systemctl restart rsyslog
    Note: If the log source is auto-discovered as a LinuxOS log source, simply change the type to Apache HTTP logs and the protocol to syslog.

    Result
    Administrator enabled Apache to forward events to QRadar by using RSyslog with the imfile module. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQNH","label":"IBM Security QRadar Log Manager"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
19 October 2023

UID

ibm16587382