Recipe 1-10: Sending Alerts to a Central Log Host Using Syslog
This recipe shows you how to configure Apache to use Syslog to send alert data to a central logging host.
Ingredients
- Apache ErrorLog directive19
- Syslog configuration file
- Central Syslog host
The standard logging mechanism for ModSecurity uses the local file system for storage. The short, one-line alert messages are automatically logged to the Apache ErrorLog directive location. This approach works fine for smaller organizations, but if you have an entire web server farm to monitor, it can quickly become unmanageable to keep track of alerts. In this scenario, you can quite easily reconfigure your Apache settings to send its error_log data to the local Syslogd process for handling. This is quickly accomplished by updating the ErrorLog directive like this:
$ grep ErrorLog httpd.conf
#ErrorLog /var/log/httpd/error_log
ErrorLog syslog:local7This new setting sends all Apache error messages to the local syslog process using the local7 facility. The next step is to edit the syslog.conf file and add some new entries:
$ grep local7 /etc/syslog.conf
local7.* /data/httpd/error_log
local7.* @192.168.1.200Here we have added two entries to the syslog.conf file. The first entry simply reroutes the Apache error_log data to the normal local file location on the host. The second entry forwards all the same data to the central logging host at IP address 192.168.1.200 using the default UDP protocol on port 514. After these settings ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
