Send HTTP Logs Syslog Server Store In a Specific File
This document explains briefly how to send http logs Syslog Server and store in a specific file. Even you can segregate log files collected from remote server based on there network address. Keep one copy in local system and send one copy of logs to remote syslog server for correlation or analysis.
How to Send HTTP Logs Syslog Server
There are two ways to achieve this HTTP log collection to syslog server, One method is to configure your CustomLog config lines in http.conf file and route to syslog server another way is to configure syslog configuration file and send.
edit http.conf file and add below specified configuration
# vi /etc/httpd/conf/httpd.conf ## Add this line to send Error Logs to syslog local ErrorLog syslog:local0
Save the config file and exit. Restart HTTPD service to take effect
# systemctl restart httpd.service
Local Server Configuration
Now edit syslog configuration file
# vi /etc/rsyslog.d/httpd-collection.conf local0.* @syslogserver.arkit.co.in:514 & ~
restart syslog service
# systemctl restart rsyslog
Syslog Server configuration
edit rsyslog configuration file and add below strings to filter the data.
Note: Add this rule before local log file filter
# Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 if $fromhost-ip startswith '192.168.2.' then /var/log/network-2.log & ~
above configuration file will redirect the logs from 192.168.2.x network to /val/log/network2.log file
The next line (“& ~“) is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.
Method 2: Send HTTPD logs to syslog server
We have to add configuration lines in /etc/httpd/conf/httpd.conf file to send logs file to remote server
# vi /etc/httpd/conf/httpd.conf CustomLog "logs/access_log" combined CustomLog "| nc -u -j syslogserver 514" combined ErrorLog "| tee -a /var/log/httpd/error_log | nc -u -j syslogserver 514"
Using nc utility we are sending the logs to syslog server
Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project and is the culmination of the currently splintered family of Netcat incarnations. It is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users.
Filter the logs from syslog server side if you want, send access log to remote-access.log and error log to remote-error.log
$ModLoad imfile $InputFilePollInterval 10 $PrivDropToGroup adm $WorkDirectory /var/spool/rsyslog # Apache access file: $InputFileName /var/log/httpd/remote-access.log $InputFileTag apache-access: $InputFileStateFile stat-apache-access $InputFileSeverity info $InputFilePersistStateInterval 2000 $InputRunFileMonitor #Apache Error file: $InputFileName /var/log/httpd/remote-error.log $InputFileTag apache-error: $InputFileStateFile stat-apache-error $InputFileSeverity error $InputFilePersistStateInterval 2000 $InputRunFileMonitor
Restart syslog server service to effect configuration. That’s how we can send http logs syslog server and store in a specific file.
For more details on rsyslog server