Centralize apache logs to send to Sentinel

New Contributor

Hi all, I need some help, I have a syslog yesterday receives log from the firewall and forwards it to Sentinel and I wanted to take the opportunity to send apache logs to Sentinel also through the syslog server I would like. I saw that it has a connector for apache but as where apache is solaris I can't perform the agent installation, the idea would be to forward apache logs to this syslog server that will send to Sentinel would it be like?

8 Replies

Hi @Bruno_Feltrin, The Apache connector is based on a Log Analytics function and custom log so you can collect and parse logs using the Syslog collector.  All you have to do is create a parser, which is just a KQL query and save it as a function. Once you are properly parsing logs and have a function created you can use that function like a table name. 

 

Here is the Apache parse.

Note: you may need to modify this since you are collecting logs through syslog

https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Apache/ApacheHTTPServer.txt

 

Here is documentation on creating and using functions

https://docs.microsoft.com/en-us/azure/azure-monitor/logs/functions

 

@ChrisMamas 

Did they really take down the Parser .txt file 3 days ago?  I cannot find it hosed anywhere anymore.  Do you have a copy of that parser?

Same issue here, poorly documented.

You have to add the Apache Connector from the Content Hub in Sentinel and install it.

Create then the custom log for Apache (after having connected your vm(s)) and you are good to go.

 

FedericoL_1-1643985792063.png

 

 

Regards

 

 

I have another question that is as follows , I have syslog server that receives logs from the firewall in CEF with an agent, I need to perform another agent installation to perform the sending to sentinel?

@Bruno_Feltrin You can use the same log collector for both Syslog and CEF. There two considerations:

  • Use different syslog facilities for Syslog and CEF traffic (configured on the source devices)
  • Disable synchronization of the agent to avoid duplicate messages in the Syslog and CommonSecurityEvent tables

This section of the Microsoft Docs site explains this further, and the command to run to disable synchronization of the agent (specifically the note under Run the deployment script): https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deploymen... 

@Fede7 

I did install Apache HTTP Server from the content hub and configured the Connector.  I also uploaded a example error.log file and chose line domination.  I then named that custom log according to the documentation.  When I run the queries that were included in the Apache HTTP Server content hub ARM deployment they are referencing columns that are not in existence.  Further research has showed me that we need that parser to take the custom logs and parse them into the appropriate Columns for KQL to reference.  That parser did exist a few days ago.  No longer.  Are you able to use the included queries or are you also only seeing the logs in RAW format (Single line with error, file, path, datestamp)?

 

@sscottlogan The parser is installed within the Apache solution on the content hub. You can check by navigating to Logs in Microsoft Sentinel, then clicking Functions and looking for ApacheHTTPServer:

 

nickselvaggiomsft_0-1644265937253.png

 

 

If you did not install the Apache solution or the parser doesn't exist, you can install it manually by creating a Log Analytics workspace function. The documentation to create a function is located at Functions in Azure Monitor log queries - Azure Monitor | Microsoft Docs, and the query to use is located at https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Parsers/Apa...

 

 

@nickselvaggio-msft 

 

Thank you so very much!

 

I was not able to find and still cannot find the parser from the Content Hub install.  But with this I will just make it!

 

Thanks,

 

Scott (Logan) Smith