Apache logging in JSON format to syslog server

Standard Apache log:-

192.168.1.123 - - [22/Dec/2023:09:00:00 +0000] "GET /birthday.html HTTP/1.1" 404 448 "-" "spoof_user_agent"

This is not a structured format easy to search through or combine with other data in a SIEM.

Add a custom log format in /etc/apache2/apache2.conf file:-

LogFormat section:-

LogFormat "{ \"time\":\"%t\", \"remoteIP\":\"%a\", \"host\":\"%V\", \"request\":\"%U\", \"query\":\"%q\", \"method\":\"%m\", \"status\":\"%>s\", \"userAgent\":\"%{User-agent}i\", \"referer\":\"%{Referer}i\" }" json_logs

Edit the website conf file:- /etc/apache2/sites-available/mysite.conf

and add

CustomLog ${APACHE_LOG_DIR}/json_access.log json_logs

Add custom log line for syslog:-

CustomLog “|/usr/bin/logger -t httpd -p <facility>.<priority>” json_logs

• <facility> is a syslog facility, for example, local0.

• <priority> is a syslog priority, for example, info or notice.

• <log format name> is a variable name that you provide to define the custom log format.

<facility>.<priority> <TAB><TAB>@<host>

• <facility> is the syslog facility, for example, local0. This value must match the value that you typed in Step 4.
• <priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.
• <TAB> indicates you must press the Tab key.
• <host> is the IP address of the Remote Syslog server or Event Collector.