Apache Access logs in CEF over Syslog

Document created by kishangupta on Mar 3, 2016
Version 1Show Document
  • View in full screen mode

From last few days I was trying to get Apache http access logs via CEF over syslog, and after few attempts I was able to. Here is the settings and changes that work for me properly.

 

I have tested this on Apache 2.4 installed on Cent OS 7.2.

 

  • Configuring Logging on the Apache HTTP Server

 

Open httpd.conf file to edit and following entries, this file location can vary depending upon your installation and OS. In Linux default path of this is /etc/httpd/conf/httpd.conf:

    • Under <IfModule log_config_module> add your CEF log format, like below one. You can modify it as per your requirement. (see apache custom log formats here)

[Taken below format from Apache Access Log in CEF ]

 

LogFormat "CEF:0|Apache|apache||%>s|%m %U%q|Unknown|end=%{%b %d %Y %H:%M:%S}t app=HTTP cs2=%H suser=%u shost=%h src=%a dhost=%V dpt=%p dproc=apache request=%U requestMethod=%m fname=%f cs1Label=Virtual Host cs1=%v cn1Label=Responce Time cn1=%T out=%B cs4Label=Referer cs4= %{Referer}i dvchost=%v dvc=%A deviceProcessName=apache_access_log requestClientApplication=%{User- Agent}i cs3Label=X-Forwarded-For cs3=%{X-Forwarded-For}i" cef

OR

LogFormat "CEF:0|Apache|apache||%>s|%m %U%q|%>s|end=%{%b %d %Y %H:%M:%S}t app=%H proto=TCP cs2=%H suser=%u shost=%h src=%a dhost=%V dpt=%p dproc=apache request=https://%{HOST}i:%p%U%q requestMethod=%m fname=%f cs1Label=Virtual Host cs1=%v cn1Label=Response Time cn1=%T in=%I out=%B cs4Label=Referer cs4=%{Referer}i cs5Label=SSL Protocol cs5=%{SSL_PROTOCOL}x cs6Label=SSL CIPHER cs6=%{SSL_CIPHER}x dvchost=%v dvc=%A deviceProcessName=apache_access_log requestClientApplication=%{User-Agent}i cs3Label=X-Forwarded-For cs3=%{X-Forwarded-For}i" cef

    • Under <IfModule logio_module> add following line to write apache logs to system

CustomLog "|/usr/bin/logger -p local6.info -t httpd" cef

    • Save the conf file, and restart httpd service.

 

 

  • Configuring Syslog to send CEF logs to ArcSight Smart Connector

 

Open syslog configuration file (in this doc taken example of RSyslog) and edit it, this file location can vary depending upon your installation and OS. For RSyslog default path is /etc/rsyslog.conf:

    • Under Forwarding rule section add these lines to send syslog events over TCP

$template message_only,"%msg%\n"

if $programname == 'httpd' then @@<Syslog Server>:<Port>;message_only

 

Explanation of above lines

$template message_only,"%msg%\n" - defining template to write syslog message only with log (means without any syslog header)

if $programname == 'httpd' then @@<Syslog Server>:<Port>;message_only - will send httpd program syslog event in “message_only” format to “Syslog Server” at “Port” over TCP

Note - If you want to send syslog over UDP then replace @@ with @

 

    • Save the conf file and restart the rsyslog service.

Attachments

    Outcomes