Jan 08 2022 04:45 PM
Jan 08 2022 04:45 PM
Hi all, I need some help, I have a syslog yesterday receives log from the firewall and forwards it to Sentinel and I wanted to take the opportunity to send apache logs to Sentinel also through the syslog server I would like. I saw that it has a connector for apache but as where apache is solaris I can't perform the agent installation, the idea would be to forward apache logs to this syslog server that will send to Sentinel would it be like?
Jan 27 2022 01:09 PM
Hi @Bruno_Feltrin, The Apache connector is based on a Log Analytics function and custom log so you can collect and parse logs using the Syslog collector. All you have to do is create a parser, which is just a KQL query and save it as a function. Once you are properly parsing logs and have a function created you can use that function like a table name.
Here is the Apache parse.
Note: you may need to modify this since you are collecting logs through syslog
Here is documentation on creating and using functions
Feb 04 2022 05:32 AM - edited Feb 04 2022 06:43 AM
Same issue here, poorly documented.
You have to add the Apache Connector from the Content Hub in Sentinel and install it.
Create then the custom log for Apache (after having connected your vm(s)) and you are good to go.
Feb 04 2022 06:46 AM
Feb 04 2022 07:19 AM - edited Feb 04 2022 07:20 AM
@Bruno_Feltrin You can use the same log collector for both Syslog and CEF. There two considerations:
This section of the Microsoft Docs site explains this further, and the command to run to disable synchronization of the agent (specifically the note under Run the deployment script): https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deploymen...
Feb 04 2022 11:24 AM
I did install Apache HTTP Server from the content hub and configured the Connector. I also uploaded a example error.log file and chose line domination. I then named that custom log according to the documentation. When I run the queries that were included in the Apache HTTP Server content hub ARM deployment they are referencing columns that are not in existence. Further research has showed me that we need that parser to take the custom logs and parse them into the appropriate Columns for KQL to reference. That parser did exist a few days ago. No longer. Are you able to use the included queries or are you also only seeing the logs in RAW format (Single line with error, file, path, datestamp)?
Feb 07 2022 12:32 PM
@sscottlogan The parser is installed within the Apache solution on the content hub. You can check by navigating to Logs in Microsoft Sentinel, then clicking Functions and looking for ApacheHTTPServer:
If you did not install the Apache solution or the parser doesn't exist, you can install it manually by creating a Log Analytics workspace function. The documentation to create a function is located at Functions in Azure Monitor log queries - Azure Monitor | Microsoft Docs, and the query to use is located at https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Parsers/Apa...