.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness having parsing issues when collecting Ubuntu Apache logs
Issue
Apache (HTTP) syslog will not be parsed correctly if the following conditions are true:- Apache is installed on Ubuntu system.
- you follow the steps in Apache HTTP Server Event Source Configuration Guide section "Configure Syslog Collection for Apache HTTP Server on UNIX" :
1. Open the \etc\httpd\conf\httpd.conf file, and find several lines that begin with LogFormat. Add the following line after the final LogFormat line:
LogFormat "\"%m: %h %l %u %t \"%m \"%V\" \"%U\" \"%q\" %H\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\"" rsa
2. Find the following line:
CustomLog logs/access_log combined
and replace combined with rsa, so that the line reads as follows:
CustomLog logs/access_log rsa
3. Add the following lines to the end of the /etc/rsyslog.conf file:
#### MODULES ####
$ModLoad imfile # load the imfile input module
# Watch /var/log/httpd/access_log
$InputFileName /var/log/httpd/access_log
$InputFileTag %APACHE-
$InputFileStateFile state-apache-access
$InputRunFileMonitor
*.* @ ipaddress
where ipaddress is the IP address of your RSA NetWitness Suite Log Decoder or RSA NetWitness Suite Remote Log Collector.
$ModLoad imfile # load the imfile input module
# Watch /var/log/httpd/access_log
$InputFileName /var/log/httpd/access_log
$InputFileTag %APACHE-
$InputFileStateFile state-apache-access
$InputRunFileMonitor
*.* @ ipaddress
After you complete the steps and syslog is sent to NetWitness from Ubuntu device, the apache log will not be parsed correctly and you will probably see word metas in Events page.
Cause
This issue occurs because LogFormat and CustomLog do not take effect.The configuration and apache package is slightly different on Ubuntu.
Resolution
1. On Ubuntu, add the following line in /etc/apache2/apache2.conf
LogFormat "\"%m: %h %l %u %t \"%m \"%V\" \"%U\" \"%q\" %H\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\"" rsa1
2. Change the following line in
/etc/apache2/sites-available/000-default.conf
From
CustomLog ${APACHE_LOG_DIR}/access.log combined
To
CustomLog ${APACHE_LOG_DIR}/access.log rsa1
CustomLog ${APACHE_LOG_DIR}/access.log rsa1
3. Add the following lines in /etc/rsyslog.conf
#### MODULES ####
$ModLoad imfile # load the imfile input module
# Watch /var/log/apache2/access.log
$InputFileName /var/log/apache2/access.log
$InputFileTag %APACHE-
$InputFileStateFile state-apache-access
$InputRunFileMonitor
*.* @ ipaddress
where ipaddress is the IP address of your RSA NetWitness Suite Log Decoder or RSA NetWitness Suite Remote Log Collector.
$ModLoad imfile # load the imfile input module
# Watch /var/log/apache2/access.log
$InputFileName /var/log/apache2/access.log
$InputFileTag %APACHE-
$InputFileStateFile state-apache-access
$InputRunFileMonitor
*.* @ ipaddress
4. Restart rsyslog and apache2 services for the change to take effect.
Product Details
NetWitness Product Set: NetWitness PlatformNetWitness Product/Service Type: LogCollector LogDecoder
NetWitness Version/Condition: 12.x
Platform: CentOS 7 / Alma
Summary
Collect Apache (HTTP) syslog from Ubuntu. Apache device configuration guide does not apply to environment whether Apache installed on Ubuntu system.
Approval Reviewer Queue
Technical approval queue