Sending Apache Logs to LogZilla

  • 06 October 2015

This method is not limited to Apache, but will work for any Common Log Format log. Each line in a file stored in the Common Log Format has the following syntax:

host ident authuser date request status bytes

The first step is to add a new source to your syslog-ng configuration. In the /etc/syslog-ng/conf.d directory, we’ll create a file and name it apache.conf.

cd /etc/syslog-ng/conf.d 
 vi apache.conf

Once the file is open in the editor, we’ll first add the source.

source s_apache {

You can also add the ssl-access.log if you have enabled that on your web server. In the same file, we’ll need to add a destination.

log { source(s_apache);

In this example, the destination is a TLS tunnel created in a previous tutorial. Save the file and quit, then restart syslog-ng.

service syslog-ng restart

You should now be receiving apache events on your Logzilla server, but they’ll look a little off. That’s because they haven’t been formatted yet. To do that, we’ll need to edit the apache configuration. This step will only work for Apache. For other Common Log Format sources, each will have it’s own solution for formatting.

cd /etc/apache2
 vi apache2.conf

In that file, you’ll find a line like this:

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %v" combined

It will need a bit added to it (it will ignore the pre-set date).

LogFormat "Jan 12 12:12:12 %v apache[666]: %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %v" combined

Save the file and restart Apache, and your logs should look like this:

0 www user notice apache None - - [07/Nov/2013:15:14:41 -0500] "GET /highslide/highslide.css HTTP/1.1" 304 209 
"" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; EIE10;ENUSMSN)"

You can create custom reports to make further use of this data, or just contact us us to give you a hand with it.