Forum Discussion
Centralize apache logs to send to Sentinel
MicrosoftHi Bruno_Feltrin, The Apache connector is based on a Log Analytics function and custom log so you can collect and parse logs using the Syslog collector. All you have to do is create a parser, which is just a KQL query and save it as a function. Once you are properly parsing logs and have a function created you can use that function like a table name.
Here is the Apache parse.
Note: you may need to modify this since you are collecting logs through syslog
https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Apache/ApacheHTTPServer.txt
Here is documentation on creating and using functions
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/functions
ChrisMamas
Did they really take down the Parser .txt file 3 days ago? I cannot find it hosed anywhere anymore. Do you have a copy of that parser?Same issue here, poorly documented.
You have to add the Apache Connector from the Content Hub in Sentinel and install it.
Create then the custom log for Apache (after having connected your vm(s)) and you are good to go.
Regards
Fede7
I did install Apache HTTP Server from the content hub and configured the Connector. I also uploaded a example error.log file and chose line domination. I then named that custom log according to the documentation. When I run the queries that were included in the Apache HTTP Server content hub ARM deployment they are referencing columns that are not in existence. Further research has showed me that we need that parser to take the custom logs and parse them into the appropriate Columns for KQL to reference. That parser did exist a few days ago. No longer. Are you able to use the included queries or are you also only seeing the logs in RAW format (Single line with error, file, path, datestamp)?
