Document toolboxDocument toolbox

web.apache

The tags beginning with web.apache identify log events generated by the Apache Web Server.

Tag structure

The full tag must have six levels. The first two are fixed as web.apache. The third level identifies the log type/format and currently must be one of access-clfaccess-combinedaccess-ltaccess-lt-xff, access-vhc, or error.

The fourth, fifth and sixth levels are required and should identify the environment type, web application, and Apache instance respectively. 

  • environment - Describes the environment in when the event occurred. For example, development, testing, or production.

  • web application - The name of the web application.

  • clon - This is the Apache instance that caused the event. Depending on your network, this can be a machine name or the virtual name of an Apache process.

The values of these levels should be guided by the structure we propose because they will be saved in the events when saved in Devo. When you open the resulting data table, these will appear in the environment, site and clon columns.

Technology

Brand

Log type/format

Environment

Web application

Clon

Technology

Brand

Log type/format

Environment

Web application

Clon

web

apache

  • access-clf

  • access-combined

  • access-lt

  • access-lt-xff

  • access-vhc

  • error

free but required



free but required

free but required

Therefore, the valid tags are the following (remember that the tag must have six levels, and the last three are free):

  • web.apache.access-clf.env.app.clon

  • web.apache.access-combined.env.app.clon

  • web.apache.access-lt.env.app.clon

  • web.apache.access-lt-xff.env.app.clon

  • web.apache.access-vhc.env.app.clon

  • web.apache.error.env.app.clon

A complete valid tag example would be: web.apache.access-clf.testing.myapp.mymachine

Devo also supports the events generated by the ModSecurity web application firewall.

For more information, read more about Devo tags.

Devo supports five formats for access log events; three of the standard formats (clf, combined, and vhc) and two custom formats defined by Devo (lt and ltXff). These correspond to the third level of the tag.

The format for log events is determined by the LogFormat directive. See below the expressions for each of the supported formats:

  • access-clf for the Common Log Format (CLF) format. The directive to define this (default) format is:

    CLF

    LogFormat "%h %l %u %t \"%r\" %>s %O" common
  • access-combined for the NCSA extended/combined Log Format format. The directive to define this format is: 

    Combined

    LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
  • access-vhc for the NCSA extended/combined log format with virtual host format. The directive to define this format is:

    Virtual Host Combined

    LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
  • access-lt for the Devo-defined format that adds more details to the standard formats listed above. The directive to define this format is:

    Devo Access

    Where "%{c1}C:%{c2}C:...:$cN}C" is the name of the cookies you want to be reflected in the log. If you don't want to save any cookie just leave the field empty ("")

  • access-lt-xff, same as access-lt format, but oriented to web servers that are behind a balancer or reverse proxy and where the client source IP is from the X-Forwarded-For header. The directive to define this format is:

    Devo Access X-Forwarded-For

Sending to Devo using rsyslog

We recommend using a rsyslog configuration file to monitor and forward the Apache error and access logs. For guidance, see the articles about file monitoring and sending using rsyslog.

To located your Apache log files, look for the ErrorLog and CustomLog directives in your Apache log configuration file

Sending to Devo using logger

The ErrorLog and CustomLog directives can also write events to an external process like a logger. 

This is how you would express these directives to write events to the logger:

Forwarding to local syslog

A note about syslog sending

Although Apache is able to send error logs using syslog, we don't recommend using this method. Since syslog sending is not available for the access logs, the installation would require the use of a different sending method thus creating added complexity.  Unselect the “sent without syslog tag” when setting up logs to ingest into parsers.

Related articles