Forum Discussion
Centralize apache logs to send to Sentinel
Hi all, I need some help, I have a syslog yesterday receives log from the firewall and forwards it to Sentinel and I wanted to take the opportunity to send apache logs to Sentinel also through the syslog server I would like. I saw that it has a connector for apache but as where apache is solaris I can't perform the agent installation, the idea would be to forward apache logs to this syslog server that will send to Sentinel would it be like?
ChrisMamasMicrosoft
Hi Bruno_Feltrin, The Apache connector is based on a Log Analytics function and custom log so you can collect and parse logs using the Syslog collector. All you have to do is create a parser, which is just a KQL query and save it as a function. Once you are properly parsing logs and have a function created you can use that function like a table name.
Here is the Apache parse.
Note: you may need to modify this since you are collecting logs through syslog
https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Apache/ApacheHTTPServer.txt
Here is documentation on creating and using functions
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/functions
ChrisMamas
Did they really take down the Parser .txt file 3 days ago? I cannot find it hosed anywhere anymore. Do you have a copy of that parser?Same issue here, poorly documented.
You have to add the Apache Connector from the Content Hub in Sentinel and install it.
Create then the custom log for Apache (after having connected your vm(s)) and you are good to go.
Regards
