Forum Discussion
Centralize apache logs to send to Sentinel
ChrisMamas
Did they really take down the Parser .txt file 3 days ago? I cannot find it hosed anywhere anymore. Do you have a copy of that parser?
Same issue here, poorly documented.
You have to add the Apache Connector from the Content Hub in Sentinel and install it.
Create then the custom log for Apache (after having connected your vm(s)) and you are good to go.
Regards
Fede7
I did install Apache HTTP Server from the content hub and configured the Connector. I also uploaded a example error.log file and chose line domination. I then named that custom log according to the documentation. When I run the queries that were included in the Apache HTTP Server content hub ARM deployment they are referencing columns that are not in existence. Further research has showed me that we need that parser to take the custom logs and parse them into the appropriate Columns for KQL to reference. That parser did exist a few days ago. No longer. Are you able to use the included queries or are you also only seeing the logs in RAW format (Single line with error, file, path, datestamp)?- nickselvaggio-msft
Microsoft
sscottlogan The parser is installed within the Apache solution on the content hub. You can check by navigating to Logs in Microsoft Sentinel, then clicking Functions and looking for ApacheHTTPServer:
If you did not install the Apache solution or the parser doesn't exist, you can install it manually by creating a Log Analytics workspace function. The documentation to create a function is located at Functions in Azure Monitor log queries - Azure Monitor | Microsoft Docs, and the query to use is located at https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Parsers/ApacheHTTPServer.txt
Thank you so very much!
I was not able to find and still cannot find the parser from the Content Hub install. But with this I will just make it!
Thanks,
Scott (Logan) Smith
- I have another question that is as follows , I have syslog server that receives logs from the firewall in CEF with an agent, I need to perform another agent installation to perform the sending to sentinel?
- nickselvaggio-msft
Bruno_Feltrin You can use the same log collector for both Syslog and CEF. There two considerations:
- Use different syslog facilities for Syslog and CEF traffic (configured on the source devices)
- Disable synchronization of the agent to avoid duplicate messages in the Syslog and CommonSecurityEvent tables
This section of the Microsoft Docs site explains this further, and the command to run to disable synchronization of the agent (specifically the note under Run the deployment script): https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script
