Highlighted
Valued Contributor.. Valued Contributor..
Valued Contributor..
2831 views

Apache Access logs in CEF over Syslog

From last few days I was trying to get Apache http access logs via CEF over syslog, and after few attempts I was able to. Here is the settings and changes that work for me properly.

I have tested this on Apache 2.4 installed on Cent OS 7.2.

  • Configuring Logging on the Apache HTTP Server

Open httpd.conf file to edit and following entries, this file location can vary depending upon your installation and OS. In Linux default path of this is /etc/httpd/conf/httpd.conf:

    • Under <IfModule log_config_module> add your CEF log format, like below one. You can modify it as per your requirement. (see apache custom log formats here)

[Taken below format from ]

LogFormat "CEF:0|Apache|apache||%>s|%m %U%q|Unknown|end=%{%b %d %Y %H:%M:%S}t app=HTTP cs2=%H suser=%u shost=%h src=%a dhost=%V dpt=%p dproc=apache request=%U requestMethod=%m fname=%f cs1Label=Virtual Host cs1=%v cn1Label=Responce Time cn1=%T out=%B cs4Label=Referer cs4= %{Referer}i dvchost=%v dvc=%A deviceProcessName=apache_access_log requestClientApplication=%{User- Agent}i cs3Label=X-Forwarded-For cs3=%{X-Forwarded-For}i" cef

OR

LogFormat "CEF:0|Apache|apache||%>s|%m %U%q|%>s|end=%{%b %d %Y %H:%M:%S}t app=%H proto=TCP cs2=%H suser=%u shost=%h src=%a dhost=%V dpt=%p dproc=apache request=https://%{HOST}i:%p%U%q requestMethod=%m fname=%f cs1Label=Virtual Host cs1=%v cn1Label=Response Time cn1=%T in=%I out=%B cs4Label=Referer cs4=%{Referer}i cs5Label=SSL Protocol cs5=%{SSL_PROTOCOL}x cs6Label=SSL CIPHER cs6=%{SSL_CIPHER}x dvchost=%v dvc=%A deviceProcessName=apache_access_log requestClientApplication=%{User-Agent}i cs3Label=X-Forwarded-For cs3=%{X-Forwarded-For}i" cef

    • Under <IfModule logio_module> add following line to write apache logs to system

CustomLog "|/usr/bin/logger -p local6.info -t httpd" cef

    • Save the conf file, and restart httpd service.

  • Configuring Syslog to send CEF logs to ArcSight Smart Connector

Open syslog configuration file (in this doc taken example of RSyslog) and edit it, this file location can vary depending upon your installation and OS. For RSyslog default path is /etc/rsyslog.conf:

    • Under Forwarding rule section add these lines to send syslog events over TCP

$template message_only,"%msg%\n"

if $programname == 'httpd' then @@<Syslog Server>:<Port>;message_only

Explanation of above lines

$template message_only,"%msg%\n" - defining template to write syslog message only with log (means without any syslog header)

if $programname == 'httpd' then @@<Syslog Server>:<Port>;message_only - will send httpd program syslog event in “message_only” format to “Syslog Server” at “Port” over TCP

Note - If you want to send syslog over UDP then replace @@ with @

    • Save the conf file and restart the rsyslog service.
Thanks and Regards,
Kishan Gupta
Tags (3)
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.