This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness having parsing issues when collecting Ubuntu Apache logs

Article Number

000002037

Applies To

RSA Product Set: NetWitness Logs and Network
RSA Version/Condition: 10.6.5

Issue

Apache (HTTP) syslog will not be parsed correctly if the following conditions are true:
  • apache is installed on Ubuntu system.
  • you follow the steps in "Configure Syslog Collection for Apache HTTP Server on UNIX" in Apache device configuration guide:
1. Open the \etc\httpd\conf\httpd.conf file, and find several lines that begin with LogFormat. Add the following line after the final LogFormat line:
LogFormat "\"%m: %h %l %u %t \"%m \"%V\" \"%U\" \"%q\" %H\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\"" rsa
2. Find the following line:
CustomLog logs/access_log combined
and replace combined with rsa, so that the line reads as follows:
CustomLog logs/access_log rsa
3. Add the following lines to the end of the /etc/rsyslog.conf file:
#### MODULES ####
$ModLoad imfile # load the imfile input module
# Watch /var/log/httpd/access_log
$InputFileName /var/log/httpd/access_log
$InputFileTag %APACHE-
$InputFileStateFile state-apache-access
$InputRunFileMonitor
*.* @ipaddress
where ipaddress is the IP address of your RSA NetWitness Suite Log Decoder or RSA NetWitness Suite Remote Log Collector.

After you complete the steps and syslog is sent to NetWitness from Ubuntu device, the apache log will not be parsed correctly and you will probably see word metas in Investigation meta view.

Cause

This issue occurs because LogFormat and CustomLog do not take effect.

The configuration and apache package is slightly different on Ubuntu. 

Resolution

1. On Ubuntu, add the following line in /etc/apache2/apache2.conf

LogFormat "\"%m: %h %l %u %t \"%m \"%V\" \"%U\" \"%q\" %H\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\"" rsa1

2. Change the following line in /etc/apache2/sites-available/000-default.conf

From

CustomLog ${APACHE_LOG_DIR}/access.log combined

To

CustomLog ${APACHE_LOG_DIR}/access.log rsa1

3. Add the following lines in /etc/rsyslog.conf

#### MODULES ####
$ModLoad imfile # load the imfile input module
# Watch /var/log/apache2/access.log
$InputFileName /var/log/apache2/access.log
$InputFileTag %APACHE-
$InputFileStateFile state-apache-access
$InputRunFileMonitor
*.* @ipaddress

where ipaddress is the IP address of your RSA NetWitness Suite Log Decoder or RSA NetWitness Suite Remote Log Collector.

4. restart rsyslog and apache2 services for the change to take effect.
 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 11:22 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.