Apache and Load Balancer

Hello,

I have a web application that I run on three servers, and it is behind an AWS load balancer. The app runs Apache, and using X_FORWARDED I can save in the logs the remote ip of the users.

We recently started using Graylog (a week ago), and I’m trying to configure sending logs from Apache to Graylog. Sending via Rsyslog was easy. But not overly usable. Then I configured the apache_mod_gelf module, and it works perfectly except for one very important detail. It records the ip of the load balancer instead of the remote IP.

I’m still looking for a way to send the Apache logs to Graylog in GELF format, and so far I can’t find the key. Has anyone been able to configure it behind a load balancer?

Many thanks in advance.

Hello && Welcome

So were you able to send log to Graylog using this? Or was it just with the setup with apache_mod_gelf?

The Graylog Sidecar might be your best option with receiving log from apache. I personally use it with Nxlog but there are more option that you can use.

Here is more information for you about the sidecar.

https://docs.graylog.org/en/2.3/pages/collector_sidecar.html#step-by-step-guide

I’m configuring Sidecar now but,

How to configure apache logs with the X_FORWARDED for filebeat or NXlog?

Nxlog can be confgiured a couple of ways for apache/httpd

This is for CentOS 7 you may have to adjust it to your environment.

Example for all apache log files (access_log,error_log,ssl_access_log,ssl_error_log,ssl_request_log).

<Input messages>
    Module       im_file
    FILE         "/var/log/httpd/*.log"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

Example of just one log file for apache.

<Input messages>
    Module       im_file
    FILE         "/var/log/httpd/access.log"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

And last would be all log files in /var/log.

<Input messages>
    Module       im_file
    FILE         "/var/log/*.log"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

If your going to use Nxlog then I would highly suggest you read this for added information on what to do.

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#input-modules

Hope that helps

Sadly there isn’t nxlog community edition for my operating system, so I’m configuring Filebeat. And, everything seems to work correctly except for the fact that the input is not receiving data. The data is sent to the Graylog server for sure (checked with tcpdump), but the filebeat input is not receiving the data.

How did you set up you input?
Do you have a firewall enabled?