Home » Blog » Send Apache Logs to Central Server Using Rsyslog

Information

Send Apache Logs to Central Server Using Rsyslog

Benhcmark Administrator

28/05/2025

2 Views 0

SaveSavedRemoved 0

Centralizing Apache logs on a dedicated server is a smart strategy for enhanced monitoring, analysis, and long-term storage. Instead of managing log files on each individual Apache server, you can consolidate them in one place, simplifying operations and improving overall system observability. This guide explains how to set up this process using Rsyslog, a powerful and widely used logging utility.

Rsyslog operates with a client-server model. The Apache servers needing to send logs act as clients, while the central server acts as the Rsyslog server that receives and stores these logs.

Setting Up the Central Rsyslog Server

First, configure the central server to accept incoming log messages from other machines.

1. Edit the main configuration file: Access the Rsyslog configuration file, typically located at /etc/rsyslog.conf or within the /etc/rsyslog.d/ directory (often in a separate file like /etc/rsyslog.d/remote.conf).

2. Enable necessary modules: Uncomment or add the lines that load the modules for receiving UDP and/or TCP traffic. UDP is faster but less reliable (messages might be dropped), while TCP is reliable but has more overhead. It’s common to enable both.

   # Provides UDP syslog reception
   module(load="imudp")
   input(type="imudp" port="514")
   
   # Provides TCP syslog reception
   module(load="imtcp")
   input(type="imtcp" port="514")
   

   These lines instruct Rsyslog to listen on the standard syslog port, 514, for both UDP and TCP connections.

3. Define rules for storing remote logs: You need to tell the server how to handle logs arriving from remote clients. A common approach is to save logs based on the hostname of the originating machine. You can add rules like this:
   
# Store remote logs based on hostname
$template RemoteHost, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteHost

   The $template RemoteHost line defines a file path structure. %HOSTNAME% will be replaced by the client’s hostname, and %PROGRAMNAME% by the program name that sent the log (e.g., apache or httpd). The *.* ?RemoteHost line is a rule that says “for any facility and any priority (.), save the log using the RemoteHost template”. You might refine this to specifically target Apache logs if needed.

4. Save the configuration file.

5. Restart the Rsyslog service: Apply the changes by restarting Rsyslog.
   bash
sudo systemctl restart rsyslog


6. Verify the listener: Check if Rsyslog is listening on port 514.
   bash
sudo netstat -tulnp | grep rsyslog

   You should see output indicating rsyslogd is listening on UDP and/or TCP port 514.

7. Firewall: Ensure your firewall is configured to allow incoming traffic on port 514 (UDP and TCP) from your Apache servers.

Setting Up the Apache Server (Client)

Now, configure each Apache server to forward its logs to the central Rsyslog server.

1. Edit the Rsyslog configuration file: Access the Rsyslog configuration file on the Apache server. Again, this is typically /etc/rsyslog.conf or a file in /etc/rsyslog.d/.
2. Configure forwarding: Add a rule that specifies where to send logs. This rule should come before any local storage rules you don’t want to be applied to the forwarded logs.
   
# Forward all logs to the central server
*.* @central_syslog_server_ip:514

   Replace central_syslog_server_ip with the actual IP address or hostname of your central Rsyslog server. The @ symbol indicates using the UDP protocol. Use @@ for the TCP protocol:
   
*.* @@central_syslog_server_ip:514

   To specifically forward only Apache logs (if Apache is configured to log to syslog with a specific facility like local6), the rule might look like:
   
local6.* @central_syslog_server_ip:514

   However, forwarding all logs (*.*) is often simpler if you rely on the central server to sort them.
3. Ensure Apache logs are sent to syslog: By default, Apache often logs directly to files in /var/log/apache2 or /var/log/httpd. To send them via Rsyslog, you might need to configure Apache to log to syslog instead of files. This involves editing your Apache configuration files (e.g., in /etc/apache2/apache2.conf or within VirtualHost definitions) to use the syslog argument with the CustomLog and ErrorLog directives.
   apache
# Example Apache configuration snippet
ErrorLog syslog:daemon
CustomLog "|/usr/bin/logger -t apache -p daemon.info" combined

   Note: The exact setup for piping logs into logger and then into syslog can vary. Ensure the facility and priority used (daemon.info in the example) match what Rsyslog is configured to handle on the client and server.
4. Save the configuration files (both Rsyslog and any modified Apache files).
5. Restart the Rsyslog service on the Apache server.
   bash
sudo systemctl restart rsyslog

6. Reload or restart the Apache service if you modified its configuration.
   bash
sudo systemctl reload apache2 # or httpd


Verification

After setting up both the server and client, generate some traffic on the Apache server (e.g., access a web page). Then, check the central Rsyslog server for the received logs. Look in the directory and file path you defined with the $template (e.g., /var/log/your_apache_hostname/apache.log or similar). You should see the Apache access and error logs appearing there.

This setup provides a centralized point for managing all your Apache logs, making it significantly easier to monitor performance, diagnose issues, and maintain compliance requirements.

Source: https://kifarunix.com/forward-apache-logs-to-central-log-server-with-rsyslog/