How To
Summary
This guide explains how to send events from Apache by using RSyslog for Ubuntu-based systems by using the imfile module. This module converts any standard text file into a syslog message.
Steps
Before we begin
Administrators run the following steps to validate the version of the RSyslog from the Linux command line:
Administrators run the following steps to validate the version of the RSyslog from the Linux command line:
- Use SSH to log in to the remote host.
- Use dpkg to check the version of the package:
dpkg -l rsyslog
Output example:root@ubuntu:~# dpkg -l rsyslog Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-===================-============-========================================= ii rsyslog 8.2112.0-2ubuntu2.2 amd64 reliable system and kernel logging daemon
Administrator confirmed the version of the RSyslog package
Resolving the problem
Administrators run the following steps to forward events from Apache by using RSyslog with the imfile module:
Note: The configuration is based on the official documentation for RSyslog version 8. For more information about the imfile module, see RSyslog Documentation - imfile module.
Note: The configuration is based on the official documentation for RSyslog version 8. For more information about the imfile module, see RSyslog Documentation - imfile module.
- Use SSH to log in to the remote host.
- Create a file under /etc/rsyslog.d/ named 02-apache2.conf:
vim /etc/rsyslog.d/02-apache2.conf
- Add the following code block to the file:
module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog") input(type="imfile" File="/var/log/apache2/access.log" Tag="http_access" Severity="info" Facility="local1") local1.info @<QRadar IP>:514
See the following explanation:- module line:
- load: Specifies the RSyslog module to load, which in this case is the imfile module for converting files to syslog.
- PollingInterval: Specifies how often the file is read for new data. Avoid setting this parameter to 0 or you risk overloading your system CPU.
- statefile.directory: Specifies a dedicated directory for the storage of imfile state files. To verify whether this directory exists on your deployment (any directory can be used), you can run the following command:
ls /var/spool/rsyslog/
- input line:
- type: Specifies the type of the module, in this case the imfile for converting these logs to a usable format.
- File: Specifies the file to be polled, all Apache2 logs are stored under /var/log/apache2. For error logs, use error.log instead of access.log.
- Tag: Configures a field at the start of your log source, and can be used as your LSI.
- Severity: Syslog severity to be assigned to lines read from the file, for access logs you want "info".
- Facility: Syslog facility to be assigned to messages read from the file specified.
- The last line specifies that these log lines are forwarded to your QRadar server. Note that local1.info can be replaced to match the format of <Facility>.<Severity>
- module line:
-
Save and exit the file.
-
Run the following command to verify the configuration:
rsyslogd -N1 -f /etc/rsyslog.d/02-apache2.conf
- Restart the RSyslog service:
systemctl restart rsyslog
Result
Administrator enabled Apache to forward events to QRadar by using RSyslog with the imfile module.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQNH","label":"IBM Security QRadar Log Manager"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 October 2023
UID
ibm16587382