QRadar: How to configure RSyslog on Ubuntu to forward Apache HTTP Access Logs

Steps

1. Create a file under /etc/rsyslog.d/ named 02-apache2.conf:

   vim /etc/rsyslog.d/02-apache2.conf

2. Add the following code block to the file:
   module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
   input(type="imfile"
         File="/var/log/apache2/access.log"
         Tag="http_access"
         Severity="info"
         Facility="local1")
   local1.error        @<QRadar IP>:514

   The following is an explanation of the fields in the file:

   • module line
     • load: Specifies the RSyslog module to load, which in this case is the imfile module for converting files to syslog.
     • PollingInterval: Specifies how often the file is read for new data. Avoid setting this parameter to 0 or you risk overloading your system CPU.
     • statefile.directory: Specifies a dedicated directory for the storage of imfile state files. To verify whether this directory exists on your deployment (any directory can be used), you can run the following command:

       ls /var/spool/rsyslog/

   • input lines
     • type: Specifies the type of the module, in this case the imfile for converting these logs to a usable format.
     • File: Specifies the file to be polled, all Apache2 logs are stored under /var/log/apache2.
     • Tag: Configures a field at the start of your log source, and can be used as your LSI.
     • Severity: Syslog severity to be assigned to lines read from the file, for access logs you want "info".
     • Facility: Syslog facility to be assigned to messages read from the file specified.
   • The last line specifies that these log lines are forwarded to your QRadar server.
3. Restart RSyslog.

   systemctl restart rsyslog

   Note: If the log source is auto discovered as a LinuxOS log source, simply change the type to Apache HTTP logs and the protocol as syslog.