Overview
Blumira integrates with Apache Web Server to detect cybersecurity threats and provide actionable response to remediate when a threat is detected.
When configured, the Blumira integration with Apache will stream security event logs to the Blumira service for automated threat detection and actionable response.
Before you begin
To complete Log Collection for your Apache Web Server, you will need to complete the Integrating with Linux OS process first. Once you’ve completed that step, you can proceed to the steps on this page.
If you have a special logging configuration for your Apache Web Server, you may need to tweak the following configuration.
Configuring Apache Web Server logs
To begin sending Apache Web Server logs to Blumira:
- Verify that your Apache configuration matches the below, specifically for default or configurations that have not been heavily modified:
ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined
Note: As mentioned above, the content expects that you are using the default and logging out to/var/log/apache2/access.log
and/var/log/apache2/error.log
with appropriate log cycling. If you have set this up in a different way through your vhosts or site configuration, you can replace the path in the later steps with those details. - Rsyslog must spool the data for Apache into a working directory, so verify that the spool exists by running the following command:
sudo ls /var/spool/rsyslog
If you receive a "No such file or directory" error, run this command.
sudo mkdir -v /var/spool/rsyslog if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then sudo chown -R syslog:adm /var/spool/rsyslog fi
- Add the Rsyslog Config File by opening or creating the new Blumira Apache log configuration file:
sudo vim /etc/rsyslog.d/25-apache.conf
You can also use nano, emacs, of your preferred text editor. The file just must be located at /etc/rsyslog.d/25-apache.conf. - Copy and paste the following content into the file:
# Prep $ModLoad imfile $InputFilePollInterval 10 $PrivDropToGroup adm $WorkDirectory /var/spool/rsyslog # Apache Access File: $InputFileName /var/log/apache2/access.log $InputFileTag apache-access: $InputFileStateFile stat-apache-access $InputFileSeverity info $InputFilePersistStateInterval 20000 $InputRunFileMonitor # Apache Error File: $InputFileName /var/log/apache2/error.log $InputFileTag apache-error: $InputFileStateFile stat-apache-error $InputFileSeverity error $InputFilePersistStateInterval 20000 $InputRunFileMonitor # Tag, Forward to BLUNIX System Logger then Stop if $programname == 'apache-access' then stop if $programname == 'apache-error' then stop
Note: As mentioned above, you can change the paths of the Access and Error file if they are located at a different path on your system. - Restart the rsyslog service to start processing Apache data via the new configuration:
sudo /etc/init.d/rsyslog restart
or
sudo service rsyslog restart