====== Apache logging in JSON format to syslog server ======

===== JSON =====


Standard Apache log:-

<code>
192.168.1.123 - - [22/Dec/2023:09:00:00 +0000] "GET /birthday.html HTTP/1.1" 404 448 "-" "spoof_user_agent"
</code>

This is not a structured format easy to search through or combine with other data in a SIEM.

Add a custom log format in /etc/apache2/apache2.conf file:-

<code>
LogFormat section:-

LogFormat "{ \"time\":\"%t\", \"remoteIP\":\"%a\", \"host\":\"%V\", \"request\":\"%U\", \"query\":\"%q\", \"method\":\"%m\", \"status\":\"%>s\", \"userAgent\":\"%{User-agent}i\", \"referer\":\"%{Referer}i\" }" json_logs
</code>

Edit the website conf file:- ''/etc/apache2/sites-available/mysite.conf'' 

and add

''CustomLog ${APACHE_LOG_DIR}/json_access.log json_logs''

===== Syslog =====

==== Apache server config ====

Add custom log line for syslog:-

''CustomLog "|/usr/bin/logger -t httpd -p <facility>.<priority>" json_logs''

  * <facility> is a syslog facility, for example, local0.

  * <priority> is a syslog priority, for example, info or notice.

  * <log format name> is a variable name that you provide to define the custom log format.


==== Syslog server config ====

''<facility>.<priority> <TAB><TAB>@<host>''

  *  <facility> is the syslog facility, for example, local0. This value must match the value that you typed in Step 4.
  *  <priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.
  *  <TAB> indicates you must press the Tab key.
  *  <host> is the IP address of the Remote Syslog server or Event Collector.