Tuesday, June 7, 2016

Forward Apache Logs to rsyslog

If you have a central logging system and you already forward syslogs from your linux server to it, the commands are pretty easy to also auto-forward your Apache access logs (your web traffic).

First, open the configuration file with your favorite text editor (my choice was nano)

nano /etc/rsyslog.conf

In the file, at the top add the import module command to allow file monitoring

$ModLoad imfile

Then near the bottom of the file, but before your remote syslog @ command, add the following lines that will allow you to monitor the file

$InputFilePollInterval 10
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor


Then restart the syslog service for the changes to take effect

service rsyslog restart

Then validate syslogging is actually sending by running tcpdump and capturing traffic going outbound to that ip

tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89


You can also verify apache access logs are enabled and working by viewing the log file that should have your logs at the bottom of them

nano /var/log/apache2/access.log

Hope that helps make your apache logging needs simpler.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment