Apache and Load Balancer

jlp · July 22, 2021, 9:41am

Hello,

I have a web application that I run on three servers, and it is behind an AWS load balancer. The app runs Apache, and using X_FORWARDED I can save in the logs the remote ip of the users.

We recently started using Graylog (a week ago), and I’m trying to configure sending logs from Apache to Graylog. Sending via Rsyslog was easy. But not overly usable. Then I configured the apache_mod_gelf module, and it works perfectly except for one very important detail. It records the ip of the load balancer instead of the remote IP.

I’m still looking for a way to send the Apache logs to Graylog in GELF format, and so far I can’t find the key. Has anyone been able to configure it behind a load balancer?

Many thanks in advance.

gsmith · July 23, 2021, 10:20pm

Hello && Welcome

So were you able to send log to Graylog using this? Or was it just with the setup with apache_mod_gelf?

The Graylog Sidecar might be your best option with receiving log from apache. I personally use it with Nxlog but there are more option that you can use.

Here is more information for you about the sidecar.

https://docs.graylog.org/en/2.3/pages/collector_sidecar.html#step-by-step-guide

jlp · August 2, 2021, 8:24am

I’m configuring Sidecar now but,

How to configure apache logs with the X_FORWARDED for filebeat or NXlog?

gsmith · August 2, 2021, 9:44pm

Nxlog can be confgiured a couple of ways for apache/httpd

This is for CentOS 7 you may have to adjust it to your environment.

Example for all apache log files (access_log,error_log,ssl_access_log,ssl_error_log,ssl_request_log).

<Input messages>
    Module       im_file
    FILE         "/var/log/httpd/*.log"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

Example of just one log file for apache.

<Input messages>
    Module       im_file
    FILE         "/var/log/httpd/access.log"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

And last would be all log files in /var/log.

<Input messages>
    Module       im_file
    FILE         "/var/log/*.log"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

If your going to use Nxlog then I would highly suggest you read this for added information on what to do.

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#input-modules

Hope that helps

jlp · August 3, 2021, 10:52am

Sadly there isn’t nxlog community edition for my operating system, so I’m configuring Filebeat. And, everything seems to work correctly except for the fact that the input is not receiving data. The data is sent to the Graylog server for sure (checked with tcpdump), but the filebeat input is not receiving the data.

gsmith · August 3, 2021, 10:16pm

How did you set up you input?
Do you have a firewall enabled?

jlp · August 5, 2021, 9:05am

Yup. Solved. I forgot to restart the firewall service.

Thanks!

system · August 19, 2021, 9:05am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat apache module and Sidecar Graylog Central (peer support) sidecar , filebeat-linux	3	1647	August 20, 2021
Send apache log to graylog Graylog Central (peer support) sidecar , filebeat-linux , nosendlogfblx	9	20624	September 15, 2017
Graylog Cluster and Load Balancing Graylog Central (peer support) sidecar , winlogbeat	10	3395	August 31, 2021
Apache forwarded for address Graylog Central (peer support)	3	307	June 8, 2022
Problem ingesting rsyslog and NXLog behind an NGINX load balancer Graylog Central (peer support) sidecar , nxlog , nodatanx	2	1868	September 22, 2021

Apache and Load Balancer

Related topics