Adding a New Source for Apache Logs

Instead of editing the syslog-ng configuration directly, you should modify the config.yaml file or create a new configuration file in the /etc/logzilla/syslog-ng/conf.d directory.

# /etc/logzilla/syslog-ng/conf.d/apache.conf
source s_apache {
 file("/var/log/apache2/access.log" follow-freq(1) flags(no-parse));
 file("/var/log/apache2/error.log" follow-freq(1) flags(no-parse));
};

You can also add ssl-access.log if it's enabled on your web server.

Adding a Destination

Instead of creating a new 'log' entry, you should only define sources, destinations, filters, or rewrite rules. LogZilla will automatically create the 'log' entries.

# Destination is defined elsewhere, for example:
destination d_tls {
 network("192.0.2.1" port(1999) transport("tls"));
};

Restarting LogZilla’s syslog-ng Module

After making changes, restart LogZilla’s syslog-ng module with the following command:

logzilla restart -c syslog

Formatting Apache Logs

For Apache logs, you will need to edit the Apache configuration to format the logs properly. This step is specific to Apache.

cd /etc/apache2
vi apache2.conf

Modify the LogFormat directive to include the desired format:

LogFormat "Jan 12 12:12:12 %v apache[666]: %h %l %u %t \"%r\" %>s %O \"%{Referrer}i\" \"%{User-Agent}i\" %v" combined

Restart Apache to apply the changes:

service apache2 restart

Verifying the Logs

After restarting Apache, the logs should now be formatted correctly and appear in LogZilla as expected.

‍

‍