Send HTTP Logs Syslog Server Store In a Specific File

This document explains briefly how to send http logs Syslog Server and store in a specific file. Even you can segregate log files collected from remote server based on there network address.  Keep one copy in local system and send one copy of logs to remote syslog server for correlation or analysis.

How to Send HTTP Logs Syslog Server

There are two ways to achieve this HTTP log collection to syslog server, One method is to configure your CustomLog config lines in http.conf file and route to syslog server another way is to configure syslog configuration file and send.

edit http.conf file and add below specified configuration

# vi /etc/httpd/conf/httpd.conf
## Add this line to send Error Logs to syslog local
ErrorLog syslog:local0

Save the config file and exit.  Restart HTTPD service to take effect

# systemctl restart httpd.service

Local Server Configuration

Now edit syslog configuration file

# vi /etc/rsyslog.d/httpd-collection.conf
& ~

restart syslog service

# systemctl restart rsyslog

Syslog Server configuration

edit rsyslog configuration file and add below strings to filter the data.

Note: Add this rule before local log file filter

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

if $fromhost-ip startswith '192.168.2.' then /var/log/network-2.log
& ~

above configuration file will redirect the logs from 192.168.2.x network to /val/log/network2.log file

The next line (“& ~“) is important: it tells rsyslog to stop processing the message after it was written to the log.  As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.

Method 2: Send HTTPD logs to syslog server

We have to add configuration lines in /etc/httpd/conf/httpd.conf file to send logs file to remote server

# vi /etc/httpd/conf/httpd.conf

CustomLog "logs/access_log" combined
CustomLog "| nc -u -j syslogserver 514" combined

ErrorLog "| tee -a /var/log/httpd/error_log | nc -u -j syslogserver 514"


Using nc utility we are sending the logs to syslog server

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project and is the culmination of the currently splintered family of Netcat incarnations. It is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users.

Filter the logs from syslog server side if you want, send access log to remote-access.log and error log to remote-error.log

$ModLoad imfile
$InputFilePollInterval 10 
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

# Apache access file:
$InputFileName /var/log/httpd/remote-access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 2000

#Apache Error file: 
$InputFileName /var/log/httpd/remote-error.log
$InputFileTag apache-error:
$InputFileStateFile stat-apache-error
$InputFileSeverity error
$InputFilePersistStateInterval 2000

Restart syslog server service to effect configuration. That’s how we can send http logs syslog server and store in a specific file.

For more details on rsyslog server

Related Articles

rsyslog server installation and configuration step by step guide RHEL 7

Managing files and directories in RHEL 7

Thanks for your wonderful Support and Encouragement