Apache

Ship Apache access and error logs to logstash

Configure Filebeat to ship logs from Apache to Logstash and Elasticsearch.

Step 1 - Install Filebeat

deb (Debian/Ubuntu/Mint)

sudo apt-get install apt-transport-https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo 'deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main' | sudo tee /etc/apt/sources.list.d/beats.list

sudo apt-get update && sudo apt-get install filebeat

rpm (CentOS/RHEL/Fedora)

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
echo "[elastic-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo

sudo yum install filebeat

macOS

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-6.7.1-darwin-x86_64.tar.gz 
tar xzvf filebeat-oss-6.7.1-darwin-x86_64.tar.gz

Windows

Download the Filebeat Windows zip file from the official downloads page.
Extract the contents of the zip file into C:\Program Files.
Rename the filebeat-<version>-windows directory to Filebeat.
Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
Run the following commands to install Filebeat as a Windows service:

PS > cd 'C:\Program Files\Filebeat'
PS C:\Program Files\Filebeat> .\install-service-filebeat.ps1`

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1.

My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).

Step 2 - Enable the Apache2 module

There are several built in filebeat modules you can use. You will need to enable the apache2 module. deb/rpm_

sudo filebeat modules list
sudo filebeat modules enable apache2

macOS

cd <EXTRACTED_ARCHIVE>
./filebeat modules list
./filebeat modules enable apache2

Windows

cd <EXTRACTED_ARCHIVE>
.\filebeat.exe modules list
.\filebeat.exe modules enable apache2

Additional module configuration can be done using the per module config files located in the modules.d folder, most commonly this would be to read logs from a non-default location

deb/rpm /etc/filebeat/modules.d/
mac/win <EXTRACTED_ARCHIVE>/modules.d/

Step 3 - Locate the configuration file

deb/rpm /etc/filebeat/filebeat.yml
mac/win <EXTRACTED_ARCHIVE>/filebeat.yml

Step 4 - Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Step 5 - (Optional) Update Logstash Filters

All Logit stacks come pre-configured with popular Logstash filters. We would recommend that you add Apache specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.

Edit your Logstash filters by choosing Stack > Settings > Logstash Filters

if [fileset][module] == "apache2" {
  if [fileset][name] == "access" {
    grok {
      match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
        "%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }
      remove_field => "message"
    }
    mutate {
      add_field => { "read_timestamp" => "%{@timestamp}" }
    }
    date {
      match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
      remove_field => "[apache2][access][time]"
    }
    useragent {
      source => "[apache2][access][agent]"
      target => "[apache2][access][user_agent]"
      remove_field => "[apache2][access][agent]"
    }
    geoip {
      source => "[apache2][access][remote_ip]"
      target => "[apache2][access][geoip]"
    }
  }
  else if [fileset][name] == "error" {
    grok {
      match => { "message" => ["\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{LOGLEVEL:[apache2][error][level]}\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message]}",
        "\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{DATA:[apache2][error][module]}:%{LOGLEVEL:[apache2][error][level]}\] \[pid %{NUMBER:[apache2][error][pid]}(:tid %{NUMBER:[apache2][error][tid]})?\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message1]}" ] }
      pattern_definitions => {
        "APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
      }
      remove_field => "message"
    }
    mutate {
      rename => { "[apache2][error][message1]" => "[apache2][error][message]" }
    }
    date {
      match => [ "[apache2][error][timestamp]", "EEE MMM dd H:m:s YYYY", "EEE MMM dd H:m:s.SSSSSS YYYY" ]
      remove_field => "[apache2][error][timestamp]"
    }
  }
}

Step 6 - Validate configuration

Let's check the configuration file is syntactically correct.

deb/rpm

sudo filebeat -e -c /etc/filebeat/filebeat.yml

macOS

cd <EXTRACTED_ARCHIVE>
./filebeat -e -c filebeat.yml

Windows

cd <EXTRACTED_ARCHIVE>
filebeat.exe -e -c filebeat.yml

Step 7 - Start filebeat

Ok, time to start ingesting data!

deb/rpm

sudo systemctl enable filebeat
sudo systemctl start filebeat

mac

./filebeat

Windows

Start-Service filebeat

Step 8 - Apache Logging Overview

Apache (also known as Apache HTTP Server) is a popular open-source web server that manages incoming HTTP requests. The first edition of Apache was launched over twenty years ago in 1995 & has grown to power over 40% of websites globally. Just one of the reasons for its widespread adoption is due to its highly flexible and powerful features.

Apache produces access & error logs and as a server that manages HTTP requests, the tool generates a high amount of log data when used to monitor high traffic websites. This can be difficult to efficiently analyse without an Apache log viewer.

The error log is characterised as the most important log data you’ll want to analyse as part of your audits. It contains a wealth of information beyond just errors & can be used for comprehensive diagnostic reporting. Access logs keep track of all access requests that have been sent to your web server and include data such as IP addresses, URLs & response times.

Logit provides a complete solution for fast apache log viewing & analysis. Our platform’s built-in Apache log analyser saves on the need to configure numerous tools for the ingestion of Apache server logs as our hosted ELK Stack takes care of transforming, parsing, alerting, visualising & reporting in one centralised platform.

Followed our configuration file example for Apache and are still encountering issues? We're here to help. Reach out by contacting our team by visiting our dedicated Help Centre or via live chat & we'll be able to get back to you.

Expand View

Compact View

Return to Search