This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Apache HTTP Server

    Samurai [Local] CollectorSamurai [Cloud] Collector
    Picture1.svg

    This guide describes the steps required to configure Apache HTTP Server hosted on a Linux host to send access and error logs to a Samurai Local Collector deployed on your network by configuring rsyslog.

    Connectivity Requirements

    SourceDestinationPortsDescription
    Apache HTTP ServerSamurai Local CollectorTCP/514 (syslog)For log transmission

    Configure Apache HTTP Server

    Ensure that Apache HTTP Server is configured to log to syslog
    Add or modify the ErrorLog and CustomLog directives in your Apache configuration file, normally located at /etc/apache2/apache2.conf:

    ErrorLog "|/usr/bin/logger -p local6.error -t apache_error"CustomLog "|/usr/bin/logger -p local6.info -t apache_access" combined

    Restart the Apache service to apply the configuration:

    sudo systemctl restart apache2

    Configure log forwarding with rsyslog

    Follow the below steps to configure rsyslog to forward Error and Access events.

    Rsyslog prerequisites

    Ensure the following statement is included in the main rsyslog configuration file, normally located at /etc/rsyslog.conf:

    $IncludeConfig /etc/rsyslog.d/*.conf

    If no IncludeConfig statement exist for the /etc/rsyslog.d/ directory, append it to the end of rsyslog.conf.

    Create /etc/rsyslog.d/ntt_apache.conf

    Create /etc/rsyslog.d/ntt_apache.conf and insert the below configuration block, enter the Local Collector IP in the Target field.

    template(name="apache-log" type="string" string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% apache_log %STRUCTURED-DATA% %msg%\n")if $programname == 'apache_error' then { action(  queue.type="LinkedList" queue.size="10000" type="omfwd" template="apache-log" Target="<Local Collector IP>" Port="514" Protocol="tcp" )}if $programname == 'apache_access' then {action(queue.type="LinkedList" queue.size="10000" type="omfwd" template="apache-log" Target="<Local Collector IP>" Port="514" Protocol="tcp")}

    Validate and restart service

    Confirm that rsyslog can parse the configuration without any errors by running:

    rsyslogd -N1

    Then restart the rsyslog service:

    sudo systemctl restart rsyslog

    The log messages will now be forwarded to the Samurai Local Collector.

    For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR portal as we auto detect the vendor and product. The only reason you need to use the Samurai MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.

    Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.